SlideShare uma empresa Scribd logo

Plan of Action and Milestones (POA&M)

Transferir como DOCX, PDF
GovCloud Network
GovCloud Network

This document is a template for a Plan of Action and Milestones (POA&M) for an information system called <Information System Name>. The POA&M identifies security weaknesses or deficiencies in the system, along with plans and milestones to remediate them. It includes an introduction describing the purpose and scope of the POA&M. A methodology section outlines how the POA&M will be structured, with a worksheet to track weaknesses, points of contact, resources required, milestones and completion dates. Appendices define acronyms and references used in the document.

Tecnologia
1 de 12
POA&M <Information System Name>, <Date> Plan of Action and Milestones (POA&M) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
FedRAMP Plan of Action and Milestones Template Table of Contents ABOUT THIS DOCUMENT................................................................................................................. 4 Who should use this document? ..................................................................................................... 4 Conventions used in this document ................................................................................................ 4 How to contact us............................................................................................................................ 5 1. INTRODUCTION....................................................................................................................... 6 1.1. Purpose............................................................................................................................... 6 1.2. Scope .................................................................................................................................. 6 1.3. System Description ............................................................................................................. 6 2. Methodology .......................................................................................................................... 7 Worksheet 1: System POA&M ................................................................................................... 7 APPENDIX A. ACRONYMS............................................................................................................. 11 APPENDIX B. REFERENCES ........................................................................................................... 12 Draft Version 0.1 Page 2 of 12 Table of Contents
FedRAMP Plan of Action and Milestones Template Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Draft Version 0.1 Page 3 of 12 Document Revision History
FedRAMP Plan of Action and Milestones Template ABOUTTHIS DOCUMENT This document is released in template format. Once populated with content, this document will include detailed information about service provider information system deficiencies and plan of action and milestones for how the deficiencies will be mitigated. Who should use this document? This document is intended to be used by service providers who are applying for an Authorization to Operate (ATO) through the U.S. federal government FedRAMP program. This template provides a sample format for preparing the Plan of Action and Milestones. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements. Italicized text or comments should be replaced with appropriate CSP/Customer/System information. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Draft Version 0.1 Page 4 of 12
FedRAMP Plan of Action and Milestones Template Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. How to contact us If you have questions about something in this document, or how to fill it out, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov o Draft Version 0.1 Page 5 of 12
FedRAMP Plan of Action and Milestones Template 1. INTRODUCTION The plan of action and milestones (POA&M) is one of three key documents in the security authorization package anddescribes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to address the residual vulnerabilities in the information system. POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security controlassessment. 1.1. Purpose The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the findings and recommendations of thesecurity assessment report excluding any remediation actions taken. CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identifiedweaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of riskmitigation resources). The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or afterinformation system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion dates for the milestones. 1.2. Scope The scope of the POA&M includes all management, operational, and technical FedRAMP security controls that are deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or remediation actions are taken to close any existing POA&M items) 1.3. System Description The <Information System Name or Acronym>system has been determined to have a security categorization of <Moderate, or Low>. Instruction: Insert a brief high-level description of the system, business or purpose and system environment. Ensure this section is continuously updated with the latest description from the System Security Plan (SSP). Draft Version 0.1 Page 6 of 12
FedRAMP Plan of Action and Milestones Template 2. Methodology POA&Ms must include all known security weaknesses withinthe cloud information system. Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook, which is comprised of five worksheets including the System POA&M worksheet, and four Quarterly POA&M Update worksheets, one for each quarter of the fiscal year. Worksheet 1: System POA&M The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks FISMA system performance measurements while the bottom portion tracks IT system weaknesses. The top portion of the POA&M tracks the measures in the table below. Measure Details Systems are categorized as Low, Moderate, or High based on a FIPS 199 Risk Impact Level completed FIPS 199/800-60 evaluation. Systems are identified as either Federal or Contractor.Contractor systems are identified as any system that processes or handles GSA- Federal or Contractor owned information on behalf of GSA that are housed at non-GSA System facilities including contractor, consultant, or other third party (includes Federal agencies/departments) sites. The bottom portion of the POA&M worksheet is the corrective action plan used to track IT security weaknesses. This portion of the POA&M worksheet is based on OMBs format requirements. Column A – POAM ID. – A unique identifier must be assigned to each POA&M item. Column B -- Weakness Description.Describe weaknesses identified during the assessment process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking, demonstrate awareness of the weakness, and facilitate the creation of specific milestones to address the weakness. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible for resolving the weakness. A POC must be identified and documented for each weakness reported. Column D -- Resources Required. Identify any resources, obstacles and challenges needed to resolve the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Draft Version 0.1 Page 7 of 12
FedRAMP Plan of Action and Milestones Template A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column F, Milestone Changes. Column E -- Scheduled Completion Date.A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column G, Milestone Changes. Column F – Milestones with Completion Dates.A milestone will identify specific requirements to correct an identified weakness. Each weakness must have a milestone documented that identifies specific actions to correct the weakness with an associated completion date. Milestone with Completion Date entries shall not change once it is recorded. Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent with the SAR. Column H --Status. A status of Completed or Ongoing must be assigned to each weakness. Completed — This status is assigned when all corrective actions have been applied to a weakness such that the weakness is successfully mitigated. The Date of Completion shall be recorded for a completed weakness. Ongoing — This status is assigned to both current weaknesses that have not exceeded the associated Scheduled Completion Date and delayed weaknesses. Vendor provided Plan of Action & Milestone (POA&M) must comply with the following: Use the POA&M template embedded in this document to track and manage POA&Ms. If a finding in the Security Assessment Report (SAR) exists, the finding must be represented as an item on the POA&M. All findings must map back to a finding in the SAR Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non- Conforming Controls need to be revaluated as mitigation techniques may surface that did not previously exist at the time of the decision or countermeasure costs may decrease affecting the original Non-Conforming Controls. Draft Version 0.1 Page 8 of 12
FedRAMP Plan of Action and Milestones Template • False positives must be clearly identified within the SAR, along with supporting evidence (e.g., clean scan report) do not have to be identified in the POA&M. • Each line item on the POA&M must have a unique identifier. This unique identifier should pair with a respective SAR finding. • All high and critical risk findings must be remediated prior to receiving a Provisional Authorization. • Moderate findings shall have a mitigation date within 90 days of Provisional Authorization date. Draft Version 0.1 Page 9 of 12
FedRAMP Plan of Action and Milestones Template Embedded POA&M Spreadsheet (Click to open): FedRAMP_POAM_Te mplate 043012.xlsx Draft Version 0.1 Page 10 of 12
FedRAMP Plan of Action and Milestones Template APPENDIX A. ACRONYMS [NOTE: Update the acronym list based on the acronyms used in this document] AC Authentication Category AP Assurance Profile API Application Programming Interface ATO Authorization to Operate C&A Certification & Accreditation COTS Commercial Off the Shelf AO Authorizing Official FedRAMP Federal Risk and Authorization Management Program FIPS PUB Federal Information Processing Standard Publication FISMA Federal Information Security Management Act GSS General Support System IaaS Infrastructure as a Service (Model) IATO Interim Authorization to Operate ID Identification IT Information Technology LAN Local Area Network NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment POA&M Plan of Action and Milestones POC Point of Contact RA Risk Assessment Rev. Revision SA Security Assessment SAR Security Assessment Report SDLC System Development Life Cycle SP Special Publication SSP System Security Plan VLAN Virtual Local Area Network Draft Version 0.1 Page 11 of 12
FedRAMP Plan of Action and Milestones Template APPENDIX B. REFERENCES [NOTE: Update references as needed to reflect current guidance] Laws and Regulations: Federal Information Security Management Act of 2002, Title III – Information Security, P.L. 107-347. Consolidated Appropriations Act of 2005, Section 522. USA PATRIOT Act (P.L. 107-56), October 2001. OMB Circulars: OMB Circular A-130, Management of Federal Information Resources, November 2000. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006. FIPS Publications: FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Publications: NIST 800-18, Guide for Developing Security Plans for Information Technology Systems NIST 800-26, Security Self-Assessment Guide for Information Technology Systems NIST 800-30, Risk Management Guide for Information Technology Systems NIST 800-34, Contingency Planning Guide for Information Technology Systems NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST 800-47, Security Guide for Interconnecting Information Technology Systems NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems and Organizations NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information System and Organizations NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems to Security NIST 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology NIST 800-64, Security Considerations in the Information System Development Life Cycle Draft Version 0.1 Page 12 of 12

Recomendados

Blockchain for healthcare
Blockchain for healthcareBlockchain for healthcare
Blockchain for healthcare
Thanvilahari
 
MV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-clickMV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-click
Ruggero Citton
 
Data Governance
Data GovernanceData Governance
Data Governance
Axis Technology, LLC
 
data warehouse vs data lake
data warehouse vs data lakedata warehouse vs data lake
data warehouse vs data lake
Polestarsolutions
 
Enterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data ArchitectureEnterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data Architecture
DATAVERSITY
 
Real World Data Governance Governing Unstructured Data
Real World Data Governance Governing Unstructured DataReal World Data Governance Governing Unstructured Data
Real World Data Governance Governing Unstructured Data
DATAVERSITY
 
DevOps best practices with OpenShift
DevOps best practices with OpenShiftDevOps best practices with OpenShift
DevOps best practices with OpenShift
Michael Lehmann
 
Blockchain Basics
Blockchain BasicsBlockchain Basics
Blockchain Basics
Bluechip Technologies
 

Recomendados

Blockchain for healthcare
Blockchain for healthcareBlockchain for healthcare
Blockchain for healthcare
Thanvilahari
 
MV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-clickMV2ADB - Move to Oracle Autonomous Database in One-click
MV2ADB - Move to Oracle Autonomous Database in One-click
Ruggero Citton
 
Data Governance
Data GovernanceData Governance
Data Governance
Axis Technology, LLC
 
data warehouse vs data lake
data warehouse vs data lakedata warehouse vs data lake
data warehouse vs data lake
Polestarsolutions
 
Enterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data ArchitectureEnterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data Architecture
DATAVERSITY
 
Real World Data Governance Governing Unstructured Data
Real World Data Governance Governing Unstructured DataReal World Data Governance Governing Unstructured Data
Real World Data Governance Governing Unstructured Data
DATAVERSITY
 
DevOps best practices with OpenShift
DevOps best practices with OpenShiftDevOps best practices with OpenShift
DevOps best practices with OpenShift
Michael Lehmann
 
Blockchain Basics
Blockchain BasicsBlockchain Basics
Blockchain Basics
Bluechip Technologies
 
굿닥의 보건의료 공공 데이터 활용사례
굿닥의 보건의료 공공 데이터 활용사례굿닥의 보건의료 공공 데이터 활용사례
굿닥의 보건의료 공공 데이터 활용사례
yello_o2o
 
Blockchain: Real World Use Cases
Blockchain: Real World Use CasesBlockchain: Real World Use Cases
Blockchain: Real World Use Cases
Capgemini
 
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
グローバルセキュリティエキスパート株式会社(GSX)
 
DAS Slides: Data Quality Best Practices
DAS Slides: Data Quality Best PracticesDAS Slides: Data Quality Best Practices
DAS Slides: Data Quality Best Practices
DATAVERSITY
 
How does a blockchain work?
How does a blockchain work?How does a blockchain work?
How does a blockchain work?
Deloitte UK
 
Blockchain Technology
Blockchain TechnologyBlockchain Technology
Blockchain Technology
Mithileysh Sathiyanarayanan
 
Master Thesis Data Governance Maturity Model - Jan Merkus MSc
Master Thesis Data Governance Maturity Model - Jan Merkus MScMaster Thesis Data Governance Maturity Model - Jan Merkus MSc
Master Thesis Data Governance Maturity Model - Jan Merkus MSc
Jan Merkus
 
Blockchain in healthcare sector
Blockchain in healthcare sectorBlockchain in healthcare sector
Blockchain in healthcare sector
Balaji Naik
 
Blockchain point of view for the telco, media and entertainment industry
Blockchain point of view for the telco, media and entertainment industryBlockchain point of view for the telco, media and entertainment industry
Blockchain point of view for the telco, media and entertainment industry
IBM Blockchain
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
Dr. Sunil Kr. Pandey
 
DBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & TradeoffsDBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & Tradeoffs
ScyllaDB
 
Cloud computing risks
Cloud computing risksCloud computing risks
Cloud computing risks
sripriya78
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Sameer Mahajan
 
Chap 2 virtulizatin
Chap 2 virtulizatinChap 2 virtulizatin
Chap 2 virtulizatin
Raj Sarode
 
The Data Driven University - Automating Data Governance and Stewardship in Au...
The Data Driven University - Automating Data Governance and Stewardship in Au...The Data Driven University - Automating Data Governance and Stewardship in Au...
The Data Driven University - Automating Data Governance and Stewardship in Au...
Pieter De Leenheer
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
Amazon Web Services
 
Enterprise Blockchain: Top Considerations Before You Deploy
Enterprise Blockchain: Top Considerations Before You Deploy Enterprise Blockchain: Top Considerations Before You Deploy
Enterprise Blockchain: Top Considerations Before You Deploy
Kaleido
 
Sybase To Oracle Migration for Developers
Sybase To Oracle Migration for DevelopersSybase To Oracle Migration for Developers
Sybase To Oracle Migration for Developers
Clearwater Technical Group Inc
 
Cloud File System and Cloud Data Management Interface (CDMI)
Cloud File System and Cloud Data Management Interface (CDMI)Cloud File System and Cloud Data Management Interface (CDMI)
Cloud File System and Cloud Data Management Interface (CDMI)
Calsoft Inc.
 
DI&A Slides: Data Lake vs. Data Warehouse
DI&A Slides: Data Lake vs. Data WarehouseDI&A Slides: Data Lake vs. Data Warehouse
DI&A Slides: Data Lake vs. Data Warehouse
DATAVERSITY
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
juliennehar
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
herthalearmont
 

Mais conteúdo relacionado

Mais procurados

Blockchain: Real World Use Cases
Blockchain: Real World Use CasesBlockchain: Real World Use Cases
Blockchain: Real World Use Cases
Capgemini
 
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
グローバルセキュリティエキスパート株式会社(GSX)
 
The Data Driven University - Automating Data Governance and Stewardship in Au...
The Data Driven University - Automating Data Governance and Stewardship in Au...The Data Driven University - Automating Data Governance and Stewardship in Au...
The Data Driven University - Automating Data Governance and Stewardship in Au...
Pieter De Leenheer
 
Enterprise Blockchain: Top Considerations Before You Deploy
Enterprise Blockchain: Top Considerations Before You Deploy Enterprise Blockchain: Top Considerations Before You Deploy
Enterprise Blockchain: Top Considerations Before You Deploy
Kaleido
 
DI&A Slides: Data Lake vs. Data Warehouse
DI&A Slides: Data Lake vs. Data WarehouseDI&A Slides: Data Lake vs. Data Warehouse
DI&A Slides: Data Lake vs. Data Warehouse
DATAVERSITY
 

Mais procurados (20)

굿닥의 보건의료 공공 데이터 활용사례
굿닥의 보건의료 공공 데이터 활용사례굿닥의 보건의료 공공 데이터 활용사례
굿닥의 보건의료 공공 데이터 활용사례
 
Blockchain: Real World Use Cases
Blockchain: Real World Use CasesBlockchain: Real World Use Cases
Blockchain: Real World Use Cases
 
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
CND(Certified Network Defender:認定ネットワークディフェンダー)のご紹介
 
DAS Slides: Data Quality Best Practices
DAS Slides: Data Quality Best PracticesDAS Slides: Data Quality Best Practices
DAS Slides: Data Quality Best Practices
 
How does a blockchain work?
How does a blockchain work?How does a blockchain work?
How does a blockchain work?
 
Blockchain Technology
Blockchain TechnologyBlockchain Technology
Blockchain Technology
 
Master Thesis Data Governance Maturity Model - Jan Merkus MSc
Master Thesis Data Governance Maturity Model - Jan Merkus MScMaster Thesis Data Governance Maturity Model - Jan Merkus MSc
Master Thesis Data Governance Maturity Model - Jan Merkus MSc
 
Blockchain in healthcare sector
Blockchain in healthcare sectorBlockchain in healthcare sector
Blockchain in healthcare sector
 
Blockchain point of view for the telco, media and entertainment industry
Blockchain point of view for the telco, media and entertainment industryBlockchain point of view for the telco, media and entertainment industry
Blockchain point of view for the telco, media and entertainment industry
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
DBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & TradeoffsDBaaS in the Real World: Risks, Rewards & Tradeoffs
DBaaS in the Real World: Risks, Rewards & Tradeoffs
 
Cloud computing risks
Cloud computing risksCloud computing risks
Cloud computing risks
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Chap 2 virtulizatin
Chap 2 virtulizatinChap 2 virtulizatin
Chap 2 virtulizatin
 
The Data Driven University - Automating Data Governance and Stewardship in Au...
The Data Driven University - Automating Data Governance and Stewardship in Au...The Data Driven University - Automating Data Governance and Stewardship in Au...
The Data Driven University - Automating Data Governance and Stewardship in Au...
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
 
Enterprise Blockchain: Top Considerations Before You Deploy
Enterprise Blockchain: Top Considerations Before You Deploy Enterprise Blockchain: Top Considerations Before You Deploy
Enterprise Blockchain: Top Considerations Before You Deploy
 
Sybase To Oracle Migration for Developers
Sybase To Oracle Migration for DevelopersSybase To Oracle Migration for Developers
Sybase To Oracle Migration for Developers
 
Cloud File System and Cloud Data Management Interface (CDMI)
Cloud File System and Cloud Data Management Interface (CDMI)Cloud File System and Cloud Data Management Interface (CDMI)
Cloud File System and Cloud Data Management Interface (CDMI)
 
DI&A Slides: Data Lake vs. Data Warehouse
DI&A Slides: Data Lake vs. Data WarehouseDI&A Slides: Data Lake vs. Data Warehouse
DI&A Slides: Data Lake vs. Data Warehouse
 

Semelhante a Plan of Action and Milestones (POA&M)

This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
juliennehar
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
herthalearmont
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
rhetttrevannion
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
Jay Steidle
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
mary772
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010
Steve Turner
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
tienboileau
 

Semelhante a Plan of Action and Milestones (POA&M) (20)

This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
 
Unit iii tqm
Unit iii tqmUnit iii tqm
Unit iii tqm
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) Template
 
Documentation on bigmarket copy
Documentation on bigmarket copyDocumentation on bigmarket copy
Documentation on bigmarket copy
 
Mrd template
Mrd templateMrd template
Mrd template
 
0.3 aim phases_and_documentations
0.3 aim phases_and_documentations0.3 aim phases_and_documentations
0.3 aim phases_and_documentations
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdf
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdf
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy Applications
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
Blue book
Blue bookBlue book
Blue book
 
Is 4 th
Is 4 thIs 4 th
Is 4 th
 

Mais de GovCloud Network

Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
GovCloud Network
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
GovCloud Network
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
GovCloud Network
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
GovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
GovCloud Network
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
GovCloud Network
 

Mais de GovCloud Network (20)

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmark
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for me
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT Change
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate Success
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John Brennan
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview Presentation
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 

Último

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Plan of Action and Milestones (POA&M)

  • 1. POA&M <Information System Name>, <Date> Plan of Action and Milestones (POA&M) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
  • 2. FedRAMP Plan of Action and Milestones Template Table of Contents ABOUT THIS DOCUMENT................................................................................................................. 4 Who should use this document? ..................................................................................................... 4 Conventions used in this document ................................................................................................ 4 How to contact us............................................................................................................................ 5 1. INTRODUCTION....................................................................................................................... 6 1.1. Purpose............................................................................................................................... 6 1.2. Scope .................................................................................................................................. 6 1.3. System Description ............................................................................................................. 6 2. Methodology .......................................................................................................................... 7 Worksheet 1: System POA&M ................................................................................................... 7 APPENDIX A. ACRONYMS............................................................................................................. 11 APPENDIX B. REFERENCES ........................................................................................................... 12 Draft Version 0.1 Page 2 of 12 Table of Contents
  • 3. FedRAMP Plan of Action and Milestones Template Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Draft Version 0.1 Page 3 of 12 Document Revision History
  • 4. FedRAMP Plan of Action and Milestones Template ABOUTTHIS DOCUMENT This document is released in template format. Once populated with content, this document will include detailed information about service provider information system deficiencies and plan of action and milestones for how the deficiencies will be mitigated. Who should use this document? This document is intended to be used by service providers who are applying for an Authorization to Operate (ATO) through the U.S. federal government FedRAMP program. This template provides a sample format for preparing the Plan of Action and Milestones. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements. Italicized text or comments should be replaced with appropriate CSP/Customer/System information. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Draft Version 0.1 Page 4 of 12
  • 5. FedRAMP Plan of Action and Milestones Template Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. How to contact us If you have questions about something in this document, or how to fill it out, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov o Draft Version 0.1 Page 5 of 12
  • 6. FedRAMP Plan of Action and Milestones Template 1. INTRODUCTION The plan of action and milestones (POA&M) is one of three key documents in the security authorization package anddescribes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to address the residual vulnerabilities in the information system. POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security controlassessment. 1.1. Purpose The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the findings and recommendations of thesecurity assessment report excluding any remediation actions taken. CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identifiedweaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of riskmitigation resources). The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or afterinformation system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion dates for the milestones. 1.2. Scope The scope of the POA&M includes all management, operational, and technical FedRAMP security controls that are deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or remediation actions are taken to close any existing POA&M items) 1.3. System Description The <Information System Name or Acronym>system has been determined to have a security categorization of <Moderate, or Low>. Instruction: Insert a brief high-level description of the system, business or purpose and system environment. Ensure this section is continuously updated with the latest description from the System Security Plan (SSP). Draft Version 0.1 Page 6 of 12
  • 7. FedRAMP Plan of Action and Milestones Template 2. Methodology POA&Ms must include all known security weaknesses withinthe cloud information system. Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook, which is comprised of five worksheets including the System POA&M worksheet, and four Quarterly POA&M Update worksheets, one for each quarter of the fiscal year. Worksheet 1: System POA&M The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks FISMA system performance measurements while the bottom portion tracks IT system weaknesses. The top portion of the POA&M tracks the measures in the table below. Measure Details Systems are categorized as Low, Moderate, or High based on a FIPS 199 Risk Impact Level completed FIPS 199/800-60 evaluation. Systems are identified as either Federal or Contractor.Contractor systems are identified as any system that processes or handles GSA- Federal or Contractor owned information on behalf of GSA that are housed at non-GSA System facilities including contractor, consultant, or other third party (includes Federal agencies/departments) sites. The bottom portion of the POA&M worksheet is the corrective action plan used to track IT security weaknesses. This portion of the POA&M worksheet is based on OMBs format requirements. Column A – POAM ID. – A unique identifier must be assigned to each POA&M item. Column B -- Weakness Description.Describe weaknesses identified during the assessment process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking, demonstrate awareness of the weakness, and facilitate the creation of specific milestones to address the weakness. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible for resolving the weakness. A POC must be identified and documented for each weakness reported. Column D -- Resources Required. Identify any resources, obstacles and challenges needed to resolve the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Draft Version 0.1 Page 7 of 12
  • 8. FedRAMP Plan of Action and Milestones Template A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column F, Milestone Changes. Column E -- Scheduled Completion Date.A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column G, Milestone Changes. Column F – Milestones with Completion Dates.A milestone will identify specific requirements to correct an identified weakness. Each weakness must have a milestone documented that identifies specific actions to correct the weakness with an associated completion date. Milestone with Completion Date entries shall not change once it is recorded. Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent with the SAR. Column H --Status. A status of Completed or Ongoing must be assigned to each weakness. Completed — This status is assigned when all corrective actions have been applied to a weakness such that the weakness is successfully mitigated. The Date of Completion shall be recorded for a completed weakness. Ongoing — This status is assigned to both current weaknesses that have not exceeded the associated Scheduled Completion Date and delayed weaknesses. Vendor provided Plan of Action & Milestone (POA&M) must comply with the following: Use the POA&M template embedded in this document to track and manage POA&Ms. If a finding in the Security Assessment Report (SAR) exists, the finding must be represented as an item on the POA&M. All findings must map back to a finding in the SAR Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non- Conforming Controls need to be revaluated as mitigation techniques may surface that did not previously exist at the time of the decision or countermeasure costs may decrease affecting the original Non-Conforming Controls. Draft Version 0.1 Page 8 of 12
  • 9. FedRAMP Plan of Action and Milestones Template • False positives must be clearly identified within the SAR, along with supporting evidence (e.g., clean scan report) do not have to be identified in the POA&M. • Each line item on the POA&M must have a unique identifier. This unique identifier should pair with a respective SAR finding. • All high and critical risk findings must be remediated prior to receiving a Provisional Authorization. • Moderate findings shall have a mitigation date within 90 days of Provisional Authorization date. Draft Version 0.1 Page 9 of 12
  • 10. FedRAMP Plan of Action and Milestones Template Embedded POA&M Spreadsheet (Click to open): FedRAMP_POAM_Te mplate 043012.xlsx Draft Version 0.1 Page 10 of 12
  • 11. FedRAMP Plan of Action and Milestones Template APPENDIX A. ACRONYMS [NOTE: Update the acronym list based on the acronyms used in this document] AC Authentication Category AP Assurance Profile API Application Programming Interface ATO Authorization to Operate C&A Certification & Accreditation COTS Commercial Off the Shelf AO Authorizing Official FedRAMP Federal Risk and Authorization Management Program FIPS PUB Federal Information Processing Standard Publication FISMA Federal Information Security Management Act GSS General Support System IaaS Infrastructure as a Service (Model) IATO Interim Authorization to Operate ID Identification IT Information Technology LAN Local Area Network NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment POA&M Plan of Action and Milestones POC Point of Contact RA Risk Assessment Rev. Revision SA Security Assessment SAR Security Assessment Report SDLC System Development Life Cycle SP Special Publication SSP System Security Plan VLAN Virtual Local Area Network Draft Version 0.1 Page 11 of 12
  • 12. FedRAMP Plan of Action and Milestones Template APPENDIX B. REFERENCES [NOTE: Update references as needed to reflect current guidance] Laws and Regulations: Federal Information Security Management Act of 2002, Title III – Information Security, P.L. 107-347. Consolidated Appropriations Act of 2005, Section 522. USA PATRIOT Act (P.L. 107-56), October 2001. OMB Circulars: OMB Circular A-130, Management of Federal Information Resources, November 2000. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006. FIPS Publications: FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Publications: NIST 800-18, Guide for Developing Security Plans for Information Technology Systems NIST 800-26, Security Self-Assessment Guide for Information Technology Systems NIST 800-30, Risk Management Guide for Information Technology Systems NIST 800-34, Contingency Planning Guide for Information Technology Systems NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST 800-47, Security Guide for Interconnecting Information Technology Systems NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems and Organizations NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information System and Organizations NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems to Security NIST 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology NIST 800-64, Security Considerations in the Information System Development Life Cycle Draft Version 0.1 Page 12 of 12