In the cloud environment, we can be sure that nothing stays the same for long. Cloud service providers (CSP) will always be faced with new threats and regulatory requirements. Changing vulnerabilities force companies to adapt their existing controls to updated requirements, a process which must be properly tracked. Some security frameworks, like FedRAMP or NIST 800-53 require companies to compile a specialized plan, specifically a Plan of Actions and Milestones (POA&M). Required as part of the FedRAMP authorization process, the POA&M itself is a highly structured document detailing a CSP’s plan to develop and implement satisfying security controls.
Please note: we will be referring to FedRAMP’s Plan of Actions and Milestones for the purpose of this feature. Additionally, FedRAMP use the term control to refer to what in StandardFusion is referred to as a requirement.
What is a POA&M
The Plan of Actions and Milestones is a critical component in security authorization packages, and for the continuous monitoring of a cloud provider’s systems. FedRAMP’s security authorization package requires cloud service providers (CSP) to create three documents: the System Security Report (SSP), the System Assessment Report (SAR), and the Plan of Actions and Milestones (POA&M). The SSP outlines all security controls and their implementation within a CSP’s information systems. The SAR is an evaluation of the SSP, and the POA&M defines how a company will address the vulnerabilities discovered in the SAR.
FedRAMP uses the POA&M to monitor the CSP’s progress to amend these gaps. A CSP applying for either FedRAMP authorization type must establish and maintain a POA&M for their system in accordance with the completion guide using the applicable POA&M template – in this case the FedRAMP template.
For an in-depth look at FedRAMP’s authorization process, check out our detailed guide to FedRAMP compliance in our ebook.
What is it’s Purpose?
The POA&M provides a rigorous and structured approach to tracking and implementing risk mitigating controls. It defines a CSP’s intended plan of corrective actions/controls from the previously identified vulnerabilities and includes system security findings from the continuous monitoring of controls and security assessments.
The POA&M includes the:
- Security categorization of the cloud information system
- Specific weaknesses or deficiencies in deployed security controls
- Importance of the identified security control weaknesses or deficiencies
- Scope of the weakness in components within the environment
- Proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security control implementations (e.g., prioritization of risk mitigation actions and allocation of risk mitigation resources).
It identifies a) the tasks needed to mitigate/eliminate the deficiency, b) the resources required for a successful implementation, and c) project milestones and the scheduled completion dates.
POA&M and StandardFusion
With POA&M enabled in StandardFusion, users have access to a host of capabilities to simplify the implementation of corrective actions, monitoring of controls and completion of your POA&M report.
In StandardFusion, users can connect framework requirements, and the satisfying control by creating a POA&M item. As a single control can satisfy multiple requirements, teams can multi-select requirements and connect them to existing, or future POA&M items. Team can then visualize exactly which security controls satisfy a framework’s requirements and the course of action behind it.
The POA&M items make it easy to continuously monitor and update the connected security controls as part of the POA&M’s corrective actions. StandardFusion enables security professionals to quickly identify problem areas and make data-driven decisions.
In order to be authorized to operate under either NIST, or in this case FedRAMP, a CSP’s POA&M must be maintained in accordance with its accompanying completion guide and template. Utilizing StandardFusion’s report generator, users can import their data into StandardFusion and have it be directly mapped to the corresponding template.
StandardFusion is highly configurable, making it easy to add and edit POA&M milestones as you progress along the authorization process. Each change will create a new record, keeping your team up-to-date and on track.
Wrap Up
The Plan of Actions and Milestones is an essential document that must be created as part of the FedRAMP and NIST’s security authorization package. The POA&M is used to track and adapt your information systems to evolving framework requirements. It functions as a treatment plan to address all the gaps and vulnerabilities that were previously outlined in the Systems Assessment Report. It also serves as a risk register, allowing for continuous monitoring that assists teams to identify systemic deficiencies and make more informed, risk-based decisions.
StandardFusion Fit Analyzer