Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [FedRAMP Assignment: (L)(M)(H) at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
CA-5 Additional FedRAMP Requirements and Guidance: POA&Ms must be provided at least monthly.
CA-5 Additional FedRAMP Requirements and Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Plan of Action and Milestones (POA&M) Template Completion Guide
https://www.FedRAMP.gov/documents/
NIST 800-53 (r4) Supplemental Guidance:
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.
References: OMB Memorandum 02-01; NIST Special Publication 800-37.
NIST 800-53 (r5) Discussion:
Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.
38North Guidance:
Meets Minimum Requirement:
A POA&M Management process must be employed to managed weaknesses and deficiencies that have been identified.
POA&Ms must be documented, maintained and tracked to closure. POA&Ms must be updated when new information is made available.
Best Practice:
A POA&M, at a minimum, should include the following elements:
POA&M Name/Title;
Date and Time;
POA&M Description (this may include the components affected, where/how the issues was discovered (via scans);
POA&M Owner (the team member responsible for ensuring the POA&M is tracked and updated); and
Milestones and expected completion dates.
Unofficial FedRAMP Guidance:
POA&Ms must be provided at least monthly to the FedRAMP PMO via OMB Max.
CA-5 Additional FedRAMP Requirements and Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Plan of Action and Milestones (POA&M) Template Completion Guide (https://www.FedRAMP.gov/documents/)
Assessment Evidence:
All deviation requests (DRs) on file for the environment.
Screenshot of tickets supporting the vulnerability scans.
Evidence to show POA&Ms are managed and maintained to be kept current and up-to-date.
CSP Implementation Tips:
Amazon Web Services (AWS): None.
Microsoft Azure: None.
Google Cloud Platform: None.
Page updated
Report abuse