Security consultants and engineers are often confused by the term “POA&M” or simply pronounced as “Poe – Am.” POA&M stands for Plan of Actions and Milestones. Many professionals think of this as the word it sounds “some or any plan that capture actions and milestones.” But, it really comes from those working within military and defense environments.
A Plan of Action and Milestones (POA&M) is actually mandated by the Federal Information Systems Management Act of 2002 (FISMA) as a formal corrective action plan for tracking and managing weaknesses within your system. When we say “formal,” it means that the structure of the document along with guidance on how to properly complete the document is required. Any deviation from the guidance will most likely mean that your POA&M document will be rejected by those who are reviewing it and certifying or authorizing your system for approval.
Most private and commercial organizations can relate this plan to your typical risk register, while in federal vernacular, the POA&M is a high-structured, version controlled, and sensitive document used to not only manage risk but also to help with federal budgeting processes. POA&Ms is used in conjunction with a security control framework such as NIST Risk Management framework.
What goes in a POA&M?
In general, a POA&M contains a detailed estimation of the resources and manpower required to accomplish the specific tasks. More specifically, it has the following requirements:
- Item Identifier
- Weakness or Deficiency
- Security Control
- Resources Required
- Scheduled Completion Date
- Milestones with Completion Dates
- Changes to Milestones
- Weakness/ Deficiency Identified by
- Risk Level
- Estimated Cost
It should be noted that depending on your business or your agency, there may be more or less requirements to complete when completing a POA&M.
How does a POA&M impact your security risk & compliance operations?
Security professionals today are under the scrutiny of many frameworks, regulations, and standards. Standards like GDPR, FISMA, PCI-DSS, etc., and all of these frameworks can be brought under a single security control framework, such as NIST Risk Management Framework (NIST RMF). A security control framework is a unified compliance framework that allows the organization to consolidate its requirements in order to properly manage the sheer number of requirements spread across different regulatory bodies and standard organizations. When assessing your environment against a unified compliance effort, it will produce several deficiencies from various controls and requirements. These deficiencies and issues are formally documented inside of your POA&M. The POA&M can then serve as a foundational document to capture business justification, tasks, and estimated cost with clear traceability to your organization’s security posture.
How can POA&Ms help CISO with their Budgeting Strategies?
According to OMB Memorandum 04-25, POA&Ms are actually used by the Office of Management and Budget (OMB) to gather cost of security across various agencies in the U.S. The Office of Management and Budget (OMB) is the largest office within the Executive Office of the President of the United States. Think of the OMB as the primary finance department for security and other activities.
There is a lot a CISO can learn on how OMB processes, manages, and approves funding all various types of activities including capital planning for new investments, known as CPIC (Capital Planning & Investment Control).
Before we jump into the cost and budgeting, let’s discuss why a POA&M captures cost versus other documents. The POA&M primarily reports on deficiencies from a unified compliance framework or your internal security controls framework. A large organization can deploy many variations of security control frameworks. Each one of these frameworks can generate their own set of deficiencies. The OMB is interested in managing and addressing these deficiencies that could potentially turn into national security risks. When assembling a security budget, CISOs must always understand the relative impact and properly communicate risk and impact. The POA&M allows CISOs to do this in a clear and defensible manner by backing up all funding request against specific security requirement along with its relative risk rating and deficiencies.
Below is a direct requirements of a POA&M from OMB Memorandum 04-25.Linking security costs to security performance is the key for CISOs desiring to not only get a budget but also to maintain the budget. This is exactly what the POA&M attempts to achieve.
How can Ignyte help CISOs?
CISOs need a defensible budgeting strategy and Ignyte automates the security budgeting process while linking it to security performance of your organization. Security performance of your organization can be tied to a unified compliance framework while managing multiple security control frameworks under a single organization. Give us a call or schedule your demo today.