POAMs

Plan of Action and Milestones

A POAM is a plan that describes specific measures to be taken to correct deficiences found during a security control assessment. The POAM should identify:

  • The tasks needed to correct the deficiency
  • The resources required to make the plan work
  • Milestones in completing the tasks
  • Scheduled completion dates for the milestones

An organizational strategy for developing POAMs with a prioritized approach should consider:

  • The categorization impact level of the system
  • The specific deficiences that have been found
  • What potential impact the deficiency can have on the risk exposure of the organization or the ability to perform its mission
  • The proposed approach to risk mitigation
  • Any rational for accepting some risk level caused by specific deficiences

POAMs are key to both the Authorization process (C&A) and also the Continuous Monitoring process. Either before or during Authorization, an assessment of security controls triggers the need for a POAM, and the POAM deficiency item must be kept open and tracked until the deficiency has been mitigated. Continuous Monitoring uses POAM items as one of the criteria to select candidates for monitoring.

KEY NIST DOCS:
800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems”
800-39 “Managing Risk from Information Systems – An Organizational Perspective”
800-30 “Risk Management Guide for Information Technology Systems”

Comments are closed.