Export OSCAL POA&M

  • Release version: Australia
  • Updated December 1, 2025
  • 1 minute to read

    • Generate zip files Plan of Action and Milestones (POA&M) data in Open Security Controls Assessment Language (OSCAL) JSON format from the Authorization package overview record page. The authorization package must be in Implement state or later, and a POA&M file must link to the selected authorization package.

    Before you begin

    Role required: sn_irm_cont_auth.admin, sn_irm_cont_auth.system_owner, sn_irm_cont_auth.authorization_official, sn_irm_cont_auth.info_system_sec_manager, or sn_irm_cont_auth.info_system_sec_officer

    Procedure

    1. Navigate to Workspaces > CAM Workspace and then select the Lists icon. icon.
    2. Select Authorization packages from the RMF list.
    3. From the list view, select the authorization package record for which you want to generate a POA&M file.
      Note:
      The authorization package must be in the Implement, Assess, Authorize, or Monitor state to generate OSCAL POA&M.
    4. To export OSCAL POA&M, select Generate OSCAL.
      Note:
      To generate the OSCAL POA&M, the POA&M file must be linked to the selected Authorization package.

      A banner appears with the message: "The files are being generated. Please refresh the page after some time, then click 'Download OSCAL Files' to download the OSCAL files."

      The system starts generating OSCAL files asynchronously. This process takes a few minutes depending on package complexity. The Download OSCAL Files button appears when the process is complete.

    5. After the process is complete, select Download OSCAL Files.
      Note:
      Verify that the pop-up blocker is turned off for the URL so that the ZIP file is automatically downloaded to your local machine.

      A ZIP file is downloaded containing the following OSCAL files:

      • Catalog JSON file
      • Profile JSON file
      • SSP JSON file
      • Assessment Plan (AP) JSON file (one per engagement)
      • Assessment Results (AR) JSON file (one per engagement)
      • Overlay Catalog JSON file (if overlays are configured. Also includes overlays from associated control tailoring requests)
      • POA&M JSON file (included if POA&M items exist)

      You can validate these files using the OSCAL CLI validator and import them into other systems or share them with external auditors for assessment planning.

      To customize the OSCAL behavior for export, see the OSCAL Model customization support [KB1650397] article in the Now Support Knowledge Base.

      For more information on OSCAL import error, see the OSCAL Import [KB1794095] article in the Now Support Knowledge Base.