The Power of POA&Ms
The first time I head the sound “POA&M”, I was in my first cybersecurity role at NAVSEA. It was my 2nd week on the job and my manager asked me to create a “POA&M”.
A what?
Was that even a word?
After clarifying that ‘POA&M’ was an acronym for “Plan of Action and Milestones”, I started researching, asking questions of my colleagues and I completed the task accurately and on time.
A POA&M is a formal agreement between 2 primary people: (1) the individual accountable for an organization’s cybersecurity risk decisions (typically the CISO or Authorizing Official) and (2) the manager responsible for the overall security and operation of an IT system (typically the System Owner).
A POA&M is also a dynamic or living written plan used to identify, track, prioritize, and monitor system security findings/ vulnerabilities.
Of the 7 phases in the NIST RMF process, POA&Ms are most prominent in 3 Phases:
Assess (Phase 3): security controls evaluated/ POA&Ms developed to outline plans to address identified findings/ vulnerabilities
Authorize (Phase 4): POA&Ms heavily scrutinized as part of the process to grant an Authority to Operate (ATO)
Monitor (Phase 6): POA&M becomes a living document to track system vulnerability progress,changes, remediation and closure
This is a sample POA&M item/entry.
This is the document that is created to ensure the owner of an information system and/or application implements and maintains the necessary administrative, operational, and technical controls to keep the system secure and fit for purpose.
Let me give you an everyday example of a system so you can see this in another way.
You are a homeowner who wants to install a sophisticated security system in and around your home to secure and protect your family, your valuables and anything else you feel needs protection. You have no experience in home security systems and even if you did, you don’t have time to monitor and maintain the system appropriately.
For this reason, you decide to hire a security company to assess your home, and help you make the best decision about the type of physical and digital security solutions you need. Then to install the system in your home.
In this scenario, you are the Authorizing Official (AO) or the role accountable for making the decision to bring a system onto your network.
The Security Company representative is the System Owner of the role responsible for all aspects of the security system performance, including the security of the system itself.
As the AO and home owner you require the security company to meet certain standards before you allow this system in your home: Here is some of what you require:
(1) the alarm systems and cameras must remain operational for 24/7 without interruption,
(2) you require rapid response in the event of a break-in to include notifying you and law enforcement,(3) their hardware equipment must be tamper-resistant and able to function in different kinds of weather
(4) the company has to provide training to you and everyone in the home on how to properly use the security system to avoid user error that could break the system or compromise your security, finally
(6) any data collected by the security system (e.g., images, video and audio recordings) has to be stored securely and in compliance with privacy laws
The POA&M will be a document that is created by the Security Company to ensure this security system implements and maintains the standards that you’ve set (along with other requirments) to keep the security system secure.
Let’s say you’ve purchased the system. Now it’s 6 months in and the company conducts an assessment of it’s own system and finds a vulnerability.
The yellow section is the POA&M information and below it is a description of each column. All POA&Ms don’t look alike but from a federal/DoD perspective these are some of the core fields that you will find.
In the video below I go further into aspects of a POA&M including
the people/roles involved,
POA&M item status,
regulations specific to POA&Ms, and
a list of RMF/GRC systems in and outside the federal space
