If you’ve been researching how to meet certain compliance standards, you may have come across the acronym “POA&M” a few times by now. Or, this may be your first time seeing the term.
Either way, if you’re hoping to meet FedRAMP, CMMC, or other compliance standards, it’s important to know what a POA&M is and how you can create one.
What does a POA&M look like? What does the term even stand for? How can you make a POA&M that will help your business? Here’s a quick explanation of this cybersecurity concept:
What Is a POA&M?
POA&M is an acronym for "plan of action and milestones." It’s a document for tracking specific vulnerabilities in an organization's IT infrastructure and any progress towards addressing them—including specific risk mitigation strategies that are planned for use.
A plan of action and milestones can be useful as part of a gap analysis—helping you establish a plan for closing critical compliance and security gaps in your organization. In fact, the gaps identified in a gap analysis are often what the POA&M is meant to address.
Need Help with NIST 800-171 or CMMC Compliance? Check out our CMMC Compliance page!
Key Parts of a POA&M
So, what goes into a POA&M? FedRAMP provides an outline of what a POA&M document should include. While their document was originally optimized to address cloud service providers (CSPs), the following items adapted from their list could be applied to nearly any organization’s action plan for addressing security vulnerabilities:
- Security categorization for information systems;
- Specific deficiencies in deployed security controls;
- Importance of identified security controls deficiencies;
- Scope of the weakness in components on the network; and
- Proposed risk mitigation strategies to address identified weaknesses.
In short, a plan of action and milestones should have both a list of issues to resolve (sorted by priority) and a roadmap for resolving them.
POA&M Template Example
What does a POA&M look like? As long as the document contains all of the items it needs to have in an organized manner, you could make it in almost any way you want (in theory). However, it can help to follow a set POA&M template when making your own action plan.
Here’s a Sample POA&M Template to consider when setting up your own action plan for addressing security weaknesses:
Part I: Statement of Scope
The scope of this POA&M document includes security control implementations that are either missing from or do not meet the requirements for [enter compliance standard here]. Once all items have been remediated, the POA&M will be submitted to [name of the organization in charge of certification here].
Name of the Submitting Organization:
Date of POA&M:
Part II: Unresolved/Open Action Plan Items
Columns to include in a POA&M worksheet include:
- POA&M Identifier. A unique name for each item in the POA&M worksheet so they can be readily identified.
- Name of the Control/Controls Affected. Which security control in the desired compliance standard most directly fits the weakness or deficiency discovered?
- Name of the Weakness/Deficiency. Specify a name for the issue that gives a general idea of the problem.
- Weakness/Deficiency Description. A more detailed explanation of the vulnerability discovered. Data should be detailed enough to make oversight and tracking of the issue possible.
- How the Weakness Was Identified. Who or what identified the weakness? If no identifying entity exists, make a note of that (i.e. write N/A for not applicable).
- Asset Identifier/Information. Which asset was the weakness discovered in? Provide a unique identifier for the affected asset so any corrective measures can be tracked to the asset.
- Date of Identification. When the issue was identified.
- Resources Required to Address the Issue. A list of resources (labor, tools, etc.) needed to fix the issue identified.
- Planned Milestones. A list of actions to take that address the issue from the POA&M identifier.
- Planned Resolution Date. When the issue is expected to be fixed.
- Milestone Changes. A list of changes made to the milestones from the “Planned Milestones” column.
- Vendor Dependencies. A listing of any third-party vendors and the actions they need to take, if any, to resolve the issue.
- Risk Rating. How the risk was ranked at the time of identification (e.g. low, medium, or high).
- Adjusted Risk Rating. How the risk is ranked after a more in-depth analysis or after starting to address it—if an adjustment is deemed necessary.
- Operational Requirement Assessment. Is the risk something that cannot be avoided and must be left alone to enable operations? If so, this column is to be used to establish how key workflows could be impacted by trying to “fix” the issue and/or explaining how minimal the risk is for the organization.
- Deviation Request. A request to deviate from a specific security standard that is to be submitted to the assessment organization. Often used in regard to operational requirements and false positives.
- Supporting Documents. A list of links and files that provide data relevant to the POA&M identifier.
- Comments Section. A space for miscellaneous comments not found in other columns.
Part III: Closed POA&M Items
This section is a separate worksheet or tab in a worksheet where any completed action items will be moved to. Structurally, this section will be identical to the “Unresolved/Open Action Plan Items” list.
Part IV: Inventory Workbook
A workbook tracking all of the IT inventory items that the organization is accounting for in the POA&M. This can be stored either as a part of the POA&M worksheet or as a separate file.
A note about this template:
The above template is a suggestion based on the CSP POA&M template used for FedRAMP. It has different sections and definitions from the original document and is only meant to serve as a starting point. FedRAMP has specific requirements and additional sections that must be included which are not part of this example.
When establishing a POA&M, it is recommended that you consult with an attorney to formulate your POA&M document to ensure that it meets all regulatory requirements.
4 Tips for Building Your POA&M
So, you have a regulatory standard you need to meet and want to create an effective action plan that you can actually follow to meet it. While having a comprehensive POA&M template is a good start, that isn’t the only thing you need.
Here are a few basic tips for building your POA&M that can help you set realistic expectations and follow through on the plan to its completion:
1. Check Your IT Budget
While it would be nice, no organization has a truly unlimited budget for addressing security gaps and other issues. A comprehensive cybersecurity overhaul may not fit in the organization’s current IT budget—especially if major IT assets need to be replaced entirely.
So, when assembling the action plan, it’s important to verify how much the resources (including labor, software licenses, and other expenses) will cost and compare that to the budget available. If remediating all of the issues that need fixing exceeds the organization’s IT budget, then the POA&M will need to be adjusted.
For example, you could look at the impacts of each item and the cost to fix, and re-prioritize by biggest impact with lowest cost-to-fix, cutting off the low-impact high-cost fixes until additional budget can be allocated to them.
2. Consider Replacing Legacy Systems
Certain older or out-of-date systems that are no longer supported by their original developers can be a major source of vulnerabilities in a network. In some cases, it may be easier (and less costly) to simply replace these legacy systems with a new solution instead of trying to develop a more elaborate workaround.
Replacing legacy systems with newer alternatives that are actively supported by developers can help improve security—as well as your workflows and ability to integrate with more modern IT solutions.
Additionally, if multiple systems need replacement, it can help to look for new software platforms and solutions that can cover for several legacy systems at the same time. This can help streamline your IT assets and save money on software licensing costs in the long run.
3. Don’t Forget about Users
In some action plans, the writers of the plan spend so much time addressing gaps and vulnerabilities in their IT assets that they forget about the people who use those assets. However, in any cybersecurity chain, it’s often the users of IT assets who are the weakest link.
For example, users may:
- Share passwords and other information freely with coworkers so they can log into each other’s user portals;
- Fall for phishing attacks and download malware or give attackers sensitive information;
- Delete the wrong file and lose critical information;
- Send an email to the wrong person and cause a data breach; or
- Intentionally abuse their access privileges for personal gain or to hurt the organization.
Because of these risks, any action plan will need to account for the risks posed by internal users and have action items for minimizing these risks. Whether it’s simply sending out memos and reminders about security standards, the creation of a formal cybersecurity training program for the business, or the application of a policy of least privilege with strong network isolation tools, the organization needs to find ways to limit the risks posed by internal users.
4. Consider Outsourcing Action Plan Tasks
Creating a POA&M document and implementing all of the measures needed to meet specific compliance standards or high cybersecurity goals can be a difficult and time-consuming task. It can be especially tough to take care of things when there aren’t any dedicated cybersecurity experts in the organization to oversee the action plan.
To help close the IT security skills gap, it can be helpful to contract with a managed service provider (MSP) or a managed security service provider (MSSP). These organizations often have extensive experience in helping companies meet specific cybersecurity compliance goals—such as CMMC, NIST 800-171, HIPAA, and the like.
In many cases, hiring a dedicated MSSP to assess your security goals and gaps, then create and manage the POA&M for you, will be less costly than trying to hire an internal team of experts just for this task.
Need help with your POA&M? Reach out to Systems X to get started!