Editor’s Note: The FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide, Version 1.o (.docx) is attached here. The following is an excerpt.
1.1. Purpose
The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s priorities. The POA&Ms include the findings and recommendations of the security assessment report and the continual security assessments.
FedRAMP uses the POA&M to monitor progress in correcting weaknesses or deficiencies noted during the security control assessment and throughout the continuous monitoring process.
The POA&Ms are based on the:
- Security categorization of the cloud information system
- Specific weaknesses or deficiencies in deployed security controls
- Importance of the identified security control weaknesses or deficiencies
- Scope of the weakness in systems within the environment
- Proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security controls (for example, prioritization of risk mitigation actions, allocation of risk mitigation resources)
The POA&M identifies: (i) the tasks the CSP plans to accomplish with a recommendation for completion either before or after information system implementation; (ii) any milestones the CSP has set in place for meeting the tasks; and (iii) the scheduled completion dates the CSP has set for the milestones.
Leave a Reply