6 min read
Many businesses have to work hard to meet different security compliance standards. From DoD contractors who have to meet NIST 800-171 and the ...
If you’ve been researching how to meet certain compliance standards, you may have come across the acronym “POA&M” a few times by now. Or, this may be your first time seeing the term.
Either way, if you’re hoping to meet FedRAMP, CMMC, or other compliance standards, it’s important to know what a POA&M is and how you can create one.
What does a POA&M look like? What does the term even stand for? How can you make a POA&M that will help your business? Here’s a quick explanation of this cybersecurity concept:
POA&M is an acronym for "plan of action and milestones." It’s a document for tracking specific vulnerabilities in an organization's IT infrastructure and any progress towards addressing them—including specific risk mitigation strategies that are planned for use.
A plan of action and milestones can be useful as part of a gap analysis—helping you establish a plan for closing critical compliance and security gaps in your organization. In fact, the gaps identified in a gap analysis are often what the POA&M is meant to address.
Need Help with NIST 800-171 or CMMC Compliance? Check out our CMMC Compliance page!
So, what goes into a POA&M? FedRAMP provides an outline of what a POA&M document should include. While their document was originally optimized to address cloud service providers (CSPs), the following items adapted from their list could be applied to nearly any organization’s action plan for addressing security vulnerabilities:
In short, a plan of action and milestones should have both a list of issues to resolve (sorted by priority) and a roadmap for resolving them.
Want to talk with a CMMC-AB Registered Practitioner? Connect Now
What does a POA&M look like? As long as the document contains all of the items it needs to have in an organized manner, you could make it in almost any way you want (in theory). However, it can help to follow a set POA&M template when making your own action plan.
Here’s a Sample POA&M Template to consider when setting up your own action plan for addressing security weaknesses:
The scope of this POA&M document includes security control implementations that are either missing from or do not meet the requirements for [enter compliance standard here]. Once all items have been remediated, the POA&M will be submitted to [name of the organization in charge of certification here].
Name of the Submitting Organization:
Date of POA&M:
Columns to include in a POA&M worksheet include:
This section is a separate worksheet or tab in a worksheet where any completed action items will be moved to. Structurally, this section will be identical to the “Unresolved/Open Action Plan Items” list.
A workbook tracking all of the IT inventory items that the organization is accounting for in the POA&M. This can be stored either as a part of the POA&M worksheet or as a separate file.
The above template is a suggestion based on the CSP POA&M template used for FedRAMP. It has different sections and definitions from the original document and is only meant to serve as a starting point. FedRAMP has specific requirements and additional sections that must be included which are not part of this example.
When establishing a POA&M, it is recommended that you consult with an attorney to formulate your POA&M document to ensure that it meets all regulatory requirements.
So, you have a regulatory standard you need to meet and want to create an effective action plan that you can actually follow to meet it. While having a comprehensive POA&M template is a good start, that isn’t the only thing you need.
Here are a few basic tips for building your POA&M that can help you set realistic expectations and follow through on the plan to its completion:
While it would be nice, no organization has a truly unlimited budget for addressing security gaps and other issues. A comprehensive cybersecurity overhaul may not fit in the organization’s current IT budget—especially if major IT assets need to be replaced entirely.
So, when assembling the action plan, it’s important to verify how much the resources (including labor, software licenses, and other expenses) will cost and compare that to the budget available. If remediating all of the issues that need fixing exceeds the organization’s IT budget, then the POA&M will need to be adjusted.
For example, you could look at the impacts of each item and the cost to fix, and re-prioritize by biggest impact with lowest cost-to-fix, cutting off the low-impact high-cost fixes until additional budget can be allocated to them.
Certain older or out-of-date systems that are no longer supported by their original developers can be a major source of vulnerabilities in a network. In some cases, it may be easier (and less costly) to simply replace these legacy systems with a new solution instead of trying to develop a more elaborate workaround.
Replacing legacy systems with newer alternatives that are actively supported by developers can help improve security—as well as your workflows and ability to integrate with more modern IT solutions.
Additionally, if multiple systems need replacement, it can help to look for new software platforms and solutions that can cover for several legacy systems at the same time. This can help streamline your IT assets and save money on software licensing costs in the long run.
In some action plans, the writers of the plan spend so much time addressing gaps and vulnerabilities in their IT assets that they forget about the people who use those assets. However, in any cybersecurity chain, it’s often the users of IT assets who are the weakest link.
For example, users may:
Because of these risks, any action plan will need to account for the risks posed by internal users and have action items for minimizing these risks. Whether it’s simply sending out memos and reminders about security standards, the creation of a formal cybersecurity training program for the business, or the application of a policy of least privilege with strong network isolation tools, the organization needs to find ways to limit the risks posed by internal users.
Creating a POA&M document and implementing all of the measures needed to meet specific compliance standards or high cybersecurity goals can be a difficult and time-consuming task. It can be especially tough to take care of things when there aren’t any dedicated cybersecurity experts in the organization to oversee the action plan.
To help close the IT security skills gap, it can be helpful to contract with a managed service provider (MSP) or a managed security service provider (MSSP). These organizations often have extensive experience in helping companies meet specific cybersecurity compliance goals—such as CMMC, NIST 800-171, HIPAA, and the like.
In many cases, hiring a dedicated MSSP to assess your security goals and gaps, then create and manage the POA&M for you, will be less costly than trying to hire an internal team of experts just for this task.
Need help with your POA&M? Reach out to Systems X to get started!
7 min read
By now, you have seen the acronym CMMC and may be wondering what it means for your company - this article should help. We are going to explain what...
3 min read
Manufacturers in Michigan are facing a cyber threat they may not have considered. Large companies may begin to feel quite secure about cybersecurity....