File Name: CDSE_POAM_Final_Job_Aid.pdf
File Size: 307.26 KB
File Type: Application/pdf
Last Modified: 1 year
Last checked: 2 days ago!
This Document Has Been Certified by a Professional
We recommend downloading this file onto your computer
Job Aid: Plan of Action and Milestones (POA&M)Using this job aidThis job aid is a tool to help information system security professionals understand how to create and use the Plan of Action andMilestones (POA&M)
Overview of POA&MThis section provides a general overview of the POA&M: Purpose of the POA&M When a POA&M is required Who prepares/uses a POA&M and how How to create/update a POA&MPurpose of the POA&M The purpose of the POA&M is to assist organizations in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses/deficiencies/vulnerabilities found in programs and systems. The POA&M— Facilitates a disciplined and structured approach to mitigating risks in accordance with the priorities of the Information System Owner (ISO) Includes the findings and recommendations of the security assessment report and the continual security assessments Is maintained throughout the system life cycleWhen a POA&M is The POA&M is created as part of Step 5 (Authorize System) in the 6-step Risk Managementrequired Framework (RMF) process and when common controls have been determined, through independent assessments, to be less than effective. The POA&M is maintained as part of the Security Authorization Package (formerly known as the Certification and Accreditation, or C&A, package)
Center for Development of Security Excellence Page 1 Job Aid: Plan of Action and Milestones (POA&M)Who prepares/uses the The ISO or the project manager/system manager (PM/SM) lists the following in the POA&M:POA&M and how o Non-compliant (NC) security controls o Security controls that are not applicable (N/A) o Remediation or mitigation tasks for non-compliant security controls o Required resources o Milestones and completion dates o Inherited vulnerabilities The ISO or PM/SM initiates the corrective actions identified in the POA&M With the support and assistance of the information system security manager (ISSM), the ISO or PM/SM provides visibility and status of the POA&M to the: o Authorizing official (AO) o Senior information security officer (SISO) The DoD Component SISOs monitor and track the overall execution of system-level POA&Ms across the entire Component until identified security vulnerabilities have been remediated and the RMF documentation (Security Authorization Package) is appropriately adjustedHow to create/update a Select the paperclip to open the POA&M template:POA&M Follow the instructions in the next section to complete the POA&M
Center for Development of Security Excellence Page 2 Job Aid: Plan of Action and Milestones (POA&M) SAMPLE POA&M For Training Purposes OnlyInformation Required to be in the POA&MThis section describes the information required in each column on the POA&M. Refer to the sample POA&M above as you revieweach of these items
Column Header Description What You Should DoItem Identifier A unique weakness identifier used to Use the numbering schema that has been determined by track and correlate weaknesses that your organization
are ongoing throughout quarterly submissions within the organizationWeakness or Deficiency Represents any program or system- Describe weakness or deficiency identified by level information security vulnerability certification/validation testing, annual program review, IG that poses an unacceptable risk of independent evaluation, or any other work done by or on compromising confidentiality, behalf of the organization
integrity, or availability of information Sensitive descriptions are not necessary, but provide sufficient detail to permit oversight and tracking
Center for Development of Security Excellence Page 3 Job Aid: Plan of Action and Milestones (POA&M)Column Header Description What You Should DoSecurity Control The Security Controls are listed in the Enter security control that correlates to the weakness NIST SP 800-53 and directly relate to or deficiency
the weakness identified in ‘Weakness For a security weakness found by means other than a or Deficiency’ column. security controls assessment (e.g., vulnerability test), map the deficient function into the applicable security control
Point of Contact (POC) The organization or title of the position Enter the name, title and organization of the assigned within the organization that is responsible individual(s)
responsible for mitigating the weaknessResources Required Estimated funding and/or manpower Note the source and type of funding (current, new, or resources required for mitigating a reallocated) and any funding obstacles weakness Include the total funding requirements in the Security Costs columnScheduled Completion Completion date based on a realistic Always enter either the estimated completion date orDate estimate of the amount of time it will ‘N/A’ if the risk is accepted take to procure/allocate the resources o Never change this date required for the corrective action and o If a security weakness is resolved before or implement/test the corrective action after the originally scheduled completion date, put the actual completion date in the Status field
Center for Development of Security Excellence Page 4 Job Aid: Plan of Action and Milestones (POA&M)Column Header Description What You Should DoMilestones with Specific high-level steps to be List the specific high-level steps to be executed inCompletion Date executed in mitigating the weakness mitigating the weakness and the estimated completion and the estimated completion date date for each step for each step o Enter changes to milestones and completion dates in the Changes to Milestones columnChanges to Milestones New estimated completion date for Indicate the new estimated date for a milestone’s a milestone and the reason for the completion, if the original date is not met change Include the reason for the changeWeakness or Deficiency The source of the weakness, the Enter the source of the weakness, for example:Identified By reviewing agency/organization, and o Security controls assessment the date that the weakness was o Penetration test identified o IG audit o Certification testing Enter the reviewing agency/organization and the date that the weakness was identifiedCenter for Development of Security Excellence Page 5 Job Aid: Plan of Action and Milestones (POA&M)Column Header Description What You Should DoStatus The stage or state of the weakness Enter one of these stages or states of the weakness in the in the corrective process cycle corrective process cycle: o Completed – when a weakness has been fully resolved and the corrective action has been tested; include date of completion o Ongoing – when a deficiency/weakness is in the process of being mitigated and it has not yet exceeded the original scheduled completion date o Delayed – when a deficiency/weakness continues to be mitigated after the original scheduled completion date has passed o Planned – when corrective actions are planned to mitigate the deficiency/weakness, but the actions have not yet been applied/implemented o Accepted – when AO decides to accept the risk – Include date AO decided to accept the risk of an identified weakness (after AO received a recommendation from the PM office along with a “Mitigation Strategy Report” addressing all implemented/ inherited countermeasures and mitigating factors) – Periodically review solutions to address the risk to eventually close out the finding when possibleCenter for Development of Security Excellence Page 6 Job Aid: Plan of Action and Milestones (POA&M)Column Header Description What You Should DoComments Any amplifying or explanatory remarks Include any amplifying or explanatory remarks that will that will assist in understanding other assist in understanding other entries relative to the entries relative to the identified identified weakness(es) such as weakness(es) o Mitigating factors that will lessen the risks to the system and the network o Recommendations to downgrade a finding based on implemented/inherited mitigations o Explanation for a delay or change in a Milestone or Scheduled Completion Date o Identification of other obstacles or challenges (non-funding-related) to resolving the weakness (e.g., lack of personnel or expertise, or developing new system to replace insecure legacy system)Risk Level A ranking that determines the impact of Enter the risk level of the weakness or deficiency: a vulnerability, if exploited, to the o High system, data, and/or program o Medium o LowEstimated Cost The total estimated cost of correcting Enter the total estimated cost by adding up the the weakness or deficiency individual estimated costs of correcting each weakness or deficiencyCenter for Development of Security Excellence Page 7
POA&M Template Job Aid: Plan of Action and Milestones (POA&M) Center for Development of Security Excellence Page 3 Information Required to be in the POA&M This section describes …
POA&M Introduction The Plan of Action and Milestones (POA&M) report lists the significant security issues associated with the system and details the proposed plan and schedule for correcting and/or mitigating them. The POA&M information is presented as a table in section 1.2.
Milestones with completion dates outline the specific high-level steps to be executed in mitigating the weakness and the estimated completion date for each step. Initial milestones and completion dates should not be changed. Changes to milestones should be placed in the Changes to Milestones field.
FedRAMP updated the Plan of Actions and Milestones (POA&M) template to include two new columns.