Skip to main content

Plan of Action & Milestones

A Plan of Action & Milestones (POA&M) is a strategic document outlining the systematic approach a contractor will adopt to address and rectify identified weaknesses in order to achieve compliance with established controls. A POA&M will identify the security categorization, enumerate weaknesses and deficiencies in controls, evaluate the importance of weaknesses and deficiencies, describe the scope of each weakness as it relates to components in the environment, propose an approach to the mitigation of weaknesses and deficiencies, and lastly, describe the current progress in mitigating them. 

The POA&M Management page serves as a centralized platform to facilitate effective management of existing POA&Ms. It not only enables users to effortlessly access existing POA&Ms but also offers the functionality to edit the existing ones and create new POA&Ms. 

ASCERA facilitates the writing of POA&Ms by providing a template encompassing all requisite fields for a comprehensive POA&M. 

Title 

The POA&M title is one of the elements that helps identify the POA&M. 

Status 

The Status is used to track where on the life cycle of a POA&M it currently is. For example, if the POA&M is actively worked on, the status is In Progress and when a POA&M is completed, the status is Closed. 

The POA&M table can be filtered by status to facilitate keeping track of the POA&Ms that need attention. 

Assigned Controls/Objectives  

A POA&M can be associated with one or more controls. Additionally, the linkage can occur both at the control and objective levels. POAM&Ms can also be linked across frameworks. 

Responsible Party/Owner  

The POA&M table can be filtered by the responsible party. This way, the individuals responsible for POA&Ms can identify the POA&Ms that are assigned to them. 

Due Date  

A deadline for completing the POA&M is stipulated, and the document is set to expire 180 days after its creation. 

Weakness/Gap Description  

In this section, the creator of the POA&M provides a comprehensive description of the gaps impeding the organization's compliance with the control/objective. 

Method of Identification  

During audit preparation, three potential assessment methods for each practice can be adopted: 

  • Examination of assessment objects 
  • Interviews with relevant personnel 
  • Testing of assessment objects under predefined conditions 

Risk Assessment  

This refers to the probability of a specific risk event occurring. It assesses the chances of a particular threat or vulnerability being exploited, leading to a security incident or breach. When considering risk, the POA&M creator is trying to gauge how likely it is that a certain vulnerability will be exploited by a threat actor. 

Planned Milestones  

This section entails a detailed listing of all milestones and their corresponding due dates. 

Impact  

The impact refers to the potential consequences or severity of a security incident if it were to occur. It evaluates the magnitude of damage that could result from the exploitation of a vulnerability. 

By harmonizing these key elements within the ASCERA POA&M Management framework, organizations can systematically tackle identified weaknesses and enhance their overall control and compliance landscape. This proactive approach not only fosters security but also contributes to the integrity and robustness of the organization's operations.