August 02, 2019

How to fill our your POA&M

Gregory Morawietz

Gregory Morawietz
Founder/Single Point of Contact

Share This Post

Your POA&M is your Plan of Action and Milestone document.   Here are some key strategies and best practices that you need to observe when you are filling out your POA&M document.   Through the course of your audit and your security analysis or your compliance audit, information system audit or any other IT-based audits, you are going to have certain controls that either are not complete or have not been done yet.   You need to plan on fixing these controls and fulfilling them, you do that by creating this document and filling out the form.   The first thing you need to do is identify a POA&M ID numbering system.   You want to keep track of all your POA&M objectives by identifying them by a unique number or identifier.    You want to identify what Control is associated with it so that you know what your goal is and what control you are addressing.  You want to describe the weakness or issue and also note how you discovered the weakness, what was the source that notified you about the issue.    What asset is affected by this weakness, exploit or vulnerability, you should identify it by its unique identifier, which should also be in your SSP documentation?     You need to identify the person responsible for fixing the weakness, and who might also be required for fixing it, as it may be a different person.   You need to identify when you detected the issue when you plan on fixing it and also have an overall status indicator of all your completion dates or projected completion dates.   You can also track other various items in your POA&M that revolve around dates, approvers, comments, and documentation that might be relevant to the issue.     Some POA&M's include risk ratings and dependencies that might exist that addressing the control might include.    You can keep the POA&M shortened to relevant information that you have available.   

Share This Post