What Are POA&Ms Used For?

What Are POA&Ms Used For?What Are POA&Ms Used For?
Guest Author asked 9 months ago

1 Answers
Rivky Kappel Staff answered 9 months ago

What is a POA&M?

Some security frameworks, like FedRAMP, NIST 800-53, and FISMA require companies to collate a Plan of Actions and Milestones (POA&M). The POA&M is a structured document that details a plan to correct an information system security weakness. The document details the tasks that need to get done, identifies resources required to accomplish the plan and sets milestones and completion dates for included tasks.

What is the Purpose of a POA&M?

The purpose of a POA&M in cyber security is to monitor progress in correcting weaknesses or deficiencies associated with information systems. It sets out an orderly and organized pathway conducive to achieving the tasks at hand. The POA&M is used to identify:

  • the tasks to be accomplished;
  • the resources required to accomplish the tasks
  • any milestones in meeting the tasks
  • scheduled completion dates for the milestones

POA&Ms provide a broad view of what needs to be done to correct security weaknesses. The deficiencies and vulnerabilities are summarized in the POA&M for ease of understanding, but the source, such as test results from an internal or external control audit or risk assessment that uncovered the weakness, should be noted and accessible for further reference. The resolution of each weakness should proceed according to a POA&M.

POA&Ms for DOD Contracts

CMMC (Cybersecurity Maturity Model Certification) is a system of compliance that helps the Department of Defense determine whether an organization has the security in place that is necessary to work with vulnerable data. Even if an enterprise hasn’t met all of the necessary controls to achieve CMMC, POA&Ms can be organized to describe a company’s plans to meet them in the future. This means they can bid for government contracts while they’re still pursuing compliance with CMMC, thanks to their POA&M.

The POA&M process:

  • Analyzing and pinpointing the root cause of a security gap, vulnerability, or IT weakness
  • Estimating the cost to complete the remediation
  • Designating responsible parties to be involved in corrective actions
  • Determining the risk score and severity of the weakness to prioritize POA&M efforts according to risk factors
  • Developing a schedule for remediation by specifying an actionable plan that is clearly explained and understood by the designated workforce
  • Implementing internal controls to monitor and update the POA&M to periodically show progress
  • Monitoring security weaknesses to prevent delays in the plan of action.

Related Content

Penetration Testing

Penetration Testing

What is Penetration Testing? Cyber penetration testing is an effective way to show that your security…
Complimentary User Entity Controls

Complimentary User Entity Controls

What Are Complimentary User Entity Controls? When you think of third-party risk management, what usually comes…
Network Security Test

Network Security Test

What is a Network Security Test? Network security tests help to discover vulnerabilities in a company’s…
Skip to content