Cybersecurity risks are always changing, and even with continuous monitoring it can be difficult to know which areas of your IT system need your attention the most. With so many potential weaknesses, how can you prioritize the most urgent security threats and track your progress? 

A Plan of Action and Milestones (POA&M) is a tool that allows you to list strategically your vulnerabilities and the countermeasures you must take to eliminate them. Think of it as the ultimate To Do list on your path to information technology security and compliance. 

Keep reading to learn how to create a Plan of Action & Milestones, and how a POA&M can benefit your organization. 

What Is a POA&M?

A POA&M is the road map you will follow after your security plan is created. The elements of the plan should include the priority order of the tasks you need to accomplish and the proposed remediation, as well as the employees assigned each task, the milestones that will indicate success, and their scheduled completion dates. Using this approach allows you to stay organized in your compliance efforts and share your plan easily with the rest of your company.

A document like this benefits any company that needs to prove compliance. You can only gain from knowing what security controls need to be created and by implementing a means of organizing your tasks. By creating a plan of actions and milestones you can advance your compliance goals and assure that all necessary employees and stakeholders are involved. 

What Is the Purpose of a POA&M?

The purpose of a POA&M is to track your progress for the lifecycle of your compliance journey. Any security plan, no matter how carefully constructed, is bound to have errors or weaknesses. Your POA&M allows you to identify and list any security weaknesses in your system, record the proposed solution, and assign one of your team members as the point of contact for mitigation. It also allows you to set goalposts for your compliance and set due dates for when the corrective steps need to be taken. 

A POA&M may sound similar to a Corrective Action Plan (CAP) but the two are not the same. It’s more accurate to say that a CAP is a component of a POA&M. Each CAP will correspond to an individual security issue, and your POA&M will account for all of the CAPs in your security plan. 

What is the difference between a POA&M and a DFARS SSP?

If your business bids on U.S. government defense contracts, the Office of Management and Budget (OMB) requires that you prove NIST 800-171 and Federal Information Security Management ACT (FISMA) compliance. This is an in-depth process that will require your chief information officer (CIO) to create both a POA&M and a Defense Federal Acquisition Regulation Supplement System Security Plan (DFARS SSP). 

Your SSP is the precursor to your POA&M; its purpose is to detail your security requirements as well as the testing and controls you have put in place to mitigate risk. The POA&M in turn will look at the information in the SSP to determine any identified weaknesses and what actions must be taken to eliminate them. 

The Defense Department requires that your POA&M include a timeline for when you expect to achieve compliance. As you achieve your goals, you will be able to mark your risk mitigation tasks as completed and remove them from your list. Your SSP is built to grow and change along with your organization, whereas your POA&M should decrease in size as you reach your intended milestones. 

If you have done business with the Defense Department in the past, be aware of recent changes to contracting policy that might affect your ability to win new contracts. Previously a POA&M was enough to prove compliance, which made it easier for small companies to bid on contracts.

In 2020, however, the Defense Department implemented the Cybersecurity Maturity Model Certification (CMMC), its new standard for contractors’ cybersecurity — and a POA&M alone will no longer suffice. One CMMC requirement is to be assessed by a third-party evaluator, which eliminates the self-assessment option that’s used in a POA&M. While an SSP and POA&M will still be useful, they will soon be insufficient to pass CMMC muster. 

How Can I Complete a POA&M?

There are 110 security requirements that pertain to the NIST SP 800-171. Not all requirements will pertain to your company, but they all must be considered before beginning your POA&M. Your POA&M needs to detail every requirement where you are not compliant, along with your projected actual completion date. Don’t forget that the plan of action alone will not be enough to prove your compliance. Further documentation will be required to assure that your security is sufficient for government contracts. 

There are templates available online to help you create a POA&M, but your organization will need to find the structure and format that best meets your needs. This kind of procedure might seem overwhelming at first, but with the right software, your compliance and security efforts can come together with ease. 

If your company is struggling with your compliance efforts, consider scheduling a demo with ZenGRC. This innovative platform can help streamline your compliance efforts and create a risk management framework tailor-made for your company’s specific goal metrics and needs. Contact the experts at ZenGRC to learn more about what this platform can do for you.