BLUF - Bottom Line Up Front
A POA&M (Plan of Actions and Milestones) is a structured document used in IT security, especially in government, to manage and track system weaknesses and compliance with frameworks like NIST and CMMC. It helps identify tasks, costs, and risks, aiding CISOs in budget strategies by aligning security needs with financial planning. Effective for integrating various frameworks, POA&Ms support clear communication of security priorities and justify budget requests linked to security performance.
Have you ever heard an IT security pro talk about their POA&M and wondered what they meant? You’re not alone. Many security consultants and engineers are uncertain about the meaning of the acronym “POA&M”. It stands for Plan of Actions and Milestones. It’s a commonplace term within military and defense working environments. POA&Ms are also being applied to commercial companies who are using the Cybersecurity Maturity Model Certification (CMMC) program as a measure of security.
For government systems, a Plan of Action and Milestones (POA&M) is mandated by the Federal Information Systems Management Act of 2002 (FISMA) as a formal corrective action plan for tracking and managing weaknesses within your system. In this context, “formal” means that the structure of the document along with the guidance on how to properly complete the document is mandated. Any deviation from the guidance will end in rejection of your POA&M document by those who are reviewing it and certifying, or authorizing, your system for approval.
Most private and commercial organizations can relate this plan to their typical risk register; while in federal vernacular, the POA&M is a high-structured, version-controlled, and sensitive document used to not only manage risk but also to help with the federal budgeting processes. POA&Ms are used in conjunction with a security control framework such as the NIST Risk Management framework (NIST SP 800-53) or CMMC (NIST SP 800-171).
What goes in a POA&M?
In general, a POA&M contains a detailed estimation of the resources and human capital required to accomplish identified tasks. More specifically, it has the following requirements:
- Item Identifier
- Weakness or Deficiency
- Security Control
- POC
- Resources Required
- Scheduled Completion Date
- Milestones with Completion Dates
- Changes to Milestones
- Weakness/ Deficiency Identified by
- Risk Level
- Estimated Cost
- Status
- Comments
Depending on your business or your agency, there may be more or fewer requirements when completing a POA&M.
How does a POA&M impact your security risk & compliance operations?
Security professionals today are under the scrutiny of many frameworks, regulations, and standards. Standards like GDPR, FISMA, PCI-DSS, etc., and these frameworks can be brought under a single security control framework, such as the NIST Risk Management Framework (NIST RMF). A security control framework is a unified compliance framework that allows the organization to consolidate its requirements in order to properly manage the sheer number of requirements spread across different regulatory bodies and standards organizations. When assessing your environment against a unified compliance effort, it will produce several deficiencies from various controls and requirements. These deficiencies and issues are formally documented inside of your POA&M. The POA&M can then serve as a foundational document to capture the business justification, tasks, and estimated costs along with a clear traceability to your organization’s security posture.
How can POA&Ms help CISOs with their Budgeting Strategies?
According to OMB Memorandum 04-25, POA&Ms are actually used by the Office of Management and Budget (OMB) to gather costs of security across various agencies in the U.S. The Office of Management and Budget (OMB) is the largest office within the Executive Office of the President of the United States. It is the primary finance department for security and other activities.
There is a lot a CISO can learn on how OMB processes manage and approve funding for various types of activities including capital planning for new investments, known as CPIC (Capital Planning & Investment Control).
So, why does a POA&M capture cost versus other types of documents? The POA&M primarily reports on deficiencies from a unified compliance framework or your internal security controls framework. A large organization can deploy many variations of security control frameworks. Each one of these frameworks can generate their own set of deficiencies. The OMB is interested in managing and addressing these deficiencies that could potentially turn into national security risks.
When assembling a security budget, CISOs must always understand the relative impact and properly communicate risk and impact. The POA&M allows CISOs to do this in a clear and defensible manner by aligning funding requests to specific security requirements along with its relative risk rating and deficiencies.
Linking security costs to security performance is the key for CISOs desiring to acquire and maintain their budget. This is exactly what the POA&M attempts to achieve.
How do you holistically establish a budget for your security program?
CISOs often need to develop an annual budget, it is important to note that it is more than just adding up all of the items from POA&Ms into capital expenditures (CAPEX) and operational expenses (OPEX). The entire budget needs to be aligned with the internal budgeting process and sales projections of your organization. More importantly, the projected state of your business financials including any review of pro-forma that you may have access to can provide you with valuable insight into which particular Line of Business (LOB) or Business Unit (LOB) is expected to grow. If your organization is operating within the public sector with an upward growth trajectory, a POA&M with properly allocated costs on various items related to public sector initiatives such as CMMC or FedRAMP can tremendously help a management team prepare for the future.
How can Ignyte Platform help CISOs?
CISOs need a defensible budgeting strategy and Ignyte Platform automates the security budgeting process while linking it to the security performance of your organization. The Security performance of your organization can be tied to a one or more compliance framework while managing multiple security control frameworks under a single organization. Give us a call or schedule your demo today.