Job Aid: Plan Of Action And Milestones - CDSE
2y ago
54 Views
1 Downloads
307.26 KB
7 Pages
Report/dmca
Download PDF

Transcription

Job Aid: Plan of Action and Milestones (POA&M)Using this job aidThis job aid is a tool to help information system security professionals understand how to create and use the Plan of Action andMilestones (POA&M).Overview of POA&MThis section provides a general overview of the POA&M: Purpose of the POA&M When a POA&M is required Who prepares/uses a POA&M and how How to create/update a POA&MPurpose of the POA&MThe purpose of the POA&M is to assist organizations in identifying, assessing, prioritizing, andmonitoring the progress of corrective efforts for security weaknesses/deficiencies/vulnerabilities foundin programs and systems. The POA&M— Facilitates a disciplined and structured approach to mitigating risks in accordance with the prioritiesof the Information System Owner (ISO) Includes the findings and recommendations of the security assessment report and the continualsecurity assessments Is maintained throughout the system life cycleWhen a POA&M isrequiredThe POA&M is created as part of Step 5 (Authorize System) in the 6-step Risk ManagementFramework (RMF) process and when common controls have been determined, through independentassessments, to be less than effective. The POA&M is maintained as part of the Security AuthorizationPackage (formerly known as the Certification and Accreditation, or C&A, package).Center for Development of Security ExcellencePage 1

Job Aid: Plan of Action and Milestones (POA&M)Who prepares/uses thePOA&M and how The ISO or the project manager/system manager (PM/SM) lists the following in the POA&M:oNon-compliant (NC) security controlsoSecurity controls that are not applicable (N/A)oRemediation or mitigation tasks for non-compliant security controlsoRequired resourcesoMilestones and completion datesoInherited vulnerabilities The ISO or PM/SM initiates the corrective actions identified in the POA&M With the support and assistance of the information system security manager (ISSM), the ISO orPM/SM provides visibility and status of the POA&M to the:oAuthorizing official (AO)oSenior information security officer (SISO) The DoD Component SISOs monitor and track the overall execution of system-level POA&Msacross the entire Component until identified security vulnerabilities have been remediated and theRMF documentation (Security Authorization Package) is appropriately adjustedHow to create/update aPOA&M Select the paperclip to open the POA&M template: Follow the instructions in the next section to complete the POA&M.Center for Development of Security ExcellencePage 2

Job Aid: Plan of Action and Milestones (POA&M)SAMPLE POA&MFor Training Purposes OnlyInformation Required to be in the POA&MThis section describes the information required in each column on the POA&M. Refer to the sample POA&M above as you revieweach of these items.Column HeaderDescriptionItem IdentifierA unique weakness identifier used totrack and correlate weaknesses thatare ongoing throughout quarterlysubmissions within the organization Use the numbering schema that has been determined byyour organization.Weakness or DeficiencyRepresents any program or systemlevel information security vulnerabilitythat poses an unacceptable risk ofcompromising confidentiality,integrity, or availability of information Describe weakness or deficiency identified bycertification/validation testing, annual program review, IGindependent evaluation, or any other work done by or onbehalf of the organization.Center for Development of Security ExcellenceWhat You Should Do Sensitive descriptions are not necessary, but providesufficient detail to permit oversight and tracking.Page 3

Job Aid: Plan of Action and Milestones (POA&M)Column HeaderDescriptionSecurity ControlThe Security Controls are listed in theNIST SP 800-53 and directly relate tothe weakness identified in ‘Weaknessor Deficiency’ column. Enter security control that correlates to the weaknessor deficiency.Point of Contact (POC)The organization or title of the positionwithin the organization that isresponsible for mitigating theweakness Enter the name, title and organization of the assignedresponsible individual(s).Resources RequiredEstimated funding and/or manpowerresources required for mitigating aweakness Note the source and type of funding (current, new, orreallocated) and any funding obstaclesCompletion date based on a realisticestimate of the amount of time it willtake to procure/allocate the resourcesrequired for the corrective action andimplement/test the corrective action Always enter either the estimated completion date or‘N/A’ if the risk is acceptedScheduled CompletionDateCenter for Development of Security ExcellenceWhat You Should Do For a security weakness found by means other than asecurity controls assessment (e.g., vulnerability test),map the deficient function into the applicable securitycontrol. Include the total funding requirements in the SecurityCosts columnoNever change this dateoIf a security weakness is resolved before orafter the originally scheduled completiondate, put the actual completion date in theStatus field.Page 4

Job Aid: Plan of Action and Milestones (POA&M)Column HeaderDescriptionMilestones withCompletion DateSpecific high-level steps to beexecuted in mitigating the weaknessand the estimated completion datefor each step List the specific high-level steps to be executed inmitigating the weakness and the estimated completiondate for each stepNew estimated completion date fora milestone and the reason for thechange Indicate the new estimated date for a milestone’scompletion, if the original date is not metThe source of the weakness, thereviewing agency/organization, andthe date that the weakness wasidentified Enter the source of the weakness, for example:Changes to MilestonesWeakness or DeficiencyIdentified ByWhat You Should DooEnter changes to milestones and completiondates in the Changes to Milestones column Include the reason for the changeoSecurity controls assessmentoPenetration testoIG auditoCertification testing Enter the reviewing agency/organization and the datethat the weakness was identifiedCenter for Development of Security ExcellencePage 5

Job Aid: Plan of Action and Milestones (POA&M)Column HeaderDescriptionStatusThe stage or state of the weaknessin the corrective process cycleCenter for Development of Security ExcellenceWhat You Should Do Enter one of these stages or states of the weakness in thecorrective process cycle:oCompleted – when a weakness has been fullyresolved and the corrective action has beentested; include date of completionoOngoing – when a deficiency/weakness is inthe process of being mitigated and it has notyet exceeded the original scheduled completiondateoDelayed – when a deficiency/weaknesscontinues to be mitigated after the originalscheduled completion date has passedoPlanned – when corrective actions are plannedto mitigate the deficiency/weakness, but theactions have not yet been applied/implementedoAccepted – when AO decides to accept therisk–Include date AO decided to accept the riskof an identified weakness (after AO receiveda recommendation from the PM office alongwith a “Mitigation Strategy Report”addressing all implemented/ inheritedcountermeasures and mitigating factors)–Periodically review solutions to address therisk to eventually close out the finding whenpossiblePage 6

Job Aid: Plan of Action and Milestones (POA&M)Column HeaderDescriptionCommentsAny amplifying or explanatory remarksthat will assist in understanding otherentries relative to the identifiedweakness(es)Risk LevelEstimated CostA ranking that determines the impact ofa vulnerability, if exploited, to thesystem, data, and/or programThe total estimated cost of correctingthe weakness or deficiencyCenter for Development of Security ExcellenceWhat You Should Do Include any amplifying or explanatory remarks that willassist in understanding other entries relative to theidentified weakness(es) such asoMitigating factors that will lessen the risks tothe system and the networkoRecommendations to downgrade a findingbased on implemented/inherited mitigationsoExplanation for a delay or change in aMilestone or Scheduled Completion DateoIdentification of other obstacles orchallenges (non-funding-related) to resolvingthe weakness (e.g., lack of personnel orexpertise, or developing new system toreplace insecure legacy system) Enter the risk level of the weakness or deficiency:oHighoMediumoLow Enter the total estimated cost by adding up theindividual estimated costs of correcting each weaknessor deficiencyPage 7

Job Aid: Plan of Action and Milestones (POA&M) Center for Development of Security Excellence . Page 3 . Information Required to be in the POA&M This section describes the information required in each column on the POA&M. Refer to the sample POA&M above as you reviewFile Size: 303KB

Related Books

The 5 Minute Career Action Plan - Jobs Job Search

The 5 Minute Career Action Plan - Jobs Job Search

Troubled Debt Restructurings Job Aid: Workflow, Case .

Troubled Debt Restructurings Job Aid: Workflow, Case .

Taleo v. 7.5 Agency Portal Job Aid - BASF

Taleo v. 7.5 Agency Portal Job Aid - BASF

ACTION CENTER Action Menu

ACTION CENTER Action Menu

LESSON PLAN First aid general public

LESSON PLAN First aid general public

A JOB CLASSIFICATION AND COMPENSATION PLAN FOR THE

A JOB CLASSIFICATION AND COMPENSATION PLAN FOR THE

Digital and Media Literacy: A Plan of Action

Digital and Media Literacy: A Plan of Action

YOUR ASK Method Action Plan - The ASK Method by Ryan .

YOUR ASK Method Action Plan - The ASK Method by Ryan .

THEVETERINARYCOOPERATIVE.COOP Plan of Action

THEVETERINARYCOOPERATIVE.COOP Plan of Action

Final Report ECAP - European Clothing Action Plan

Final Report ECAP - European Clothing Action Plan

NATIONAL ACTION PLAN for CHILD INJURY PREVENTION

NATIONAL ACTION PLAN for CHILD INJURY PREVENTION

AFTER ACTION R /IMPROVEMENT PLAN - Spencer MA

AFTER ACTION R /IMPROVEMENT PLAN - Spencer MA

PopularTags

Recent Views