What Are POA&Ms Used For?

What is a POA&M?

Some security frameworks, like FedRAMP, NIST 800-53, and FISMA require companies to collate a Plan of Actions and Milestones (POA&M). The POA&M is a structured document that details a plan to correct an information system security weakness. The document details the tasks that need to get done, identifies resources required to accomplish the plan and sets milestones and completion dates for included tasks.

What is the Purpose of a POA&M?

The purpose of a POA&M in cyber security is to monitor progress in correcting weaknesses or deficiencies associated with information systems. It sets out an orderly and organized pathway conducive to achieving the tasks at hand. The POA&M is used to identify:

• the tasks to be accomplished;
• the resources required to accomplish the tasks
• any milestones in meeting the tasks
• scheduled completion dates for the milestones

POA&Ms provide a broad view of what needs to be done to correct security weaknesses. The deficiencies and vulnerabilities are summarized in the POA&M for ease of understanding, but the source, such as test results from an internal or external control audit or risk assessment that uncovered the weakness, should be noted and accessible for further reference. The resolution of each weakness should proceed according to a POA&M.

POA&Ms for DOD Contracts

CMMC (Cybersecurity Maturity Model Certification) is a system of compliance that helps the Department of Defense determine whether an organization has the security in place that is necessary to work with vulnerable data. Even if an enterprise hasn’t met all of the necessary controls to achieve CMMC, POA&Ms can be organized to describe a company’s plans to meet them in the future. This means they can bid for government contracts while they’re still pursuing compliance with CMMC, thanks to their POA&M.

The POA&M process:

• Analyzing and pinpointing the root cause of a security gap, vulnerability, or IT weakness
• Estimating the cost to complete the remediation
• Designating responsible parties to be involved in corrective actions
• Determining the risk score and severity of the weakness to prioritize POA&M efforts according to risk factors
• Developing a schedule for remediation by specifying an actionable plan that is clearly explained and understood by the designated workforce
• Implementing internal controls to monitor and update the POA&M to periodically show progress
• Monitoring security weaknesses to prevent delays in the plan of action.