Issue¶
Quick Summary
The primary ticket type for tracking security findings: vulnerabilities, assessment results, scan failures, and ad hoc discoveries. Carries FedRAMP-aligned remediation SLAs and mirrors the Plan of Action and Milestones (POA&M) template for audit-ready record keeping.
The Issue ticket type is the primary vehicle for tracking security findings across the environment. While the scope is broad (issues can originate from penetration tests, configuration compliance scans, assessment findings, or ad hoc discovery), vulnerabilities are the most common source in practice.
Remediation SLAs¶
Each issue ticket carries a remediation SLA tied directly to FedRAMP's prescribed timelines:
| Severity | Remediation Timeline |
|---|---|
| Critical | 30 days |
| High | 30 days |
| Moderate | 90 days |
| Low | 180 days |
Issue Details & POA&M Alignment¶
The fields under the Issue Details tab are purpose-built to mirror the FedRAMP POA&M template, so the ticket record itself becomes the source of truth for continuous monitoring and audit evidence, eliminating double-entry between the ITSM and a separate spreadsheet.
Where possible, issue tickets should be linked to an asset record within the GRC-ITSM platform, though this may not always be applicable depending on the nature of the finding.
Closure¶
An issue ticket is closed when the finding has been resolved. For vulnerabilities, this means remediation has been confirmed through a rescan or other validated method of verification.