A Plan of Action and Milestones (POAM) documents the efforts and allocated resources an organization has defined when correcting deficiencies in its security systems. A POAM is a critical cybersecurity step, providing a structured approach to identifying, addressing, and mitigating risks.
When implemented correctly, a POAM can help improve the security posture within an organization by finding vulnerabilities and resolving them in a timely manner, while also giving an in-depth look at the improvements made and what risks were mitigated.
3 Reasons Why a Company Needs a POAM
1. Compliance
Many industries rely on strict regulations to guide their actions. The Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR) all require organizations within certain industries to follow a detailed cybersecurity plan. Within the government industry, the Department of Defense (DoD) requires a POAM when gaps or deficiencies have been identified as part of its Cybersecurity Maturity Model Certification (CMMC) program requirements:
- With the implementation of CMMC 2.0, the Department intends to allow companies to receive contract awards with a limited time Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements.
2. Risk Mitigation
Cybersecurity is no longer a luxury. The threats continue to evolve, and no system is safe. Having a POAM in place and executing it provides a structured approach to risk mitigation and helps organizations identify these cybersecurity risks, hopefully before they cause issues. This type of approach can help prevent small vulnerabilities from turning into large-scale security breaches.
3. Continuous Improvement
With a POAM in place, organizations are forced to monitor their environments continually and, as a result, improve their security posture continually as new vulnerabilities and gaps are identified, which helps the security team stay proactive as threats evolve.
How to Create a POAM
A comprehensive POAM usually includes the following key components:
1. Identification of Vulnerabilities
Step one in creating a POAM is identifying your environment’s vulnerabilities. To do this, an organization should go through a variety of cybersecurity assessments including penetration testing, vulnerability scanning, and security audits. Each assessment will identify different vulnerabilities within your systems, and each risk or weakness should be documented in detail.
2. Prioritization of Risks
Since not all system weaknesses pose a significant risk, each vulnerability identified in step 1 should be ranked according to the level of risk and exposure to your organization. Within your POAM, create a risk assessment process that prioritizes vulnerabilities based on impact. Most organizations build a risk matrix and rank each vulnerability as low, medium, or high risk.
3. Action Plan
With the risk matrix and ranking in place, now you can build your action plan to handle these vulnerabilities. This step represents the core of any POAM and outlines the individual actions your team must take to address each one. Document in your POAM the specific action your team will execute, who will resolve it and the deadline.
4. Milestones
Built into your POAM should be milestones or checkpoints that indicate progress, as well as who is responsible for closing each gap. These milestones provide a way for teams to measure the activities toward a vulnerability’s resolution and gauge whether or not they are on track to completion. Each milestone should include a deadline and measurable criteria.
5. Status Updates
A POAM should be considered a living document and, as such, it must be regularly reviewed and updated. Any time a change is made to the organization’s security posture or if a new threat is identified, the POAM must be updated. This final step should also include regular security assessments, a scheduled time to update the action plan and milestones, and tracking your team’s progress. These ongoing tasks ensure accountability, and what’s required to be in place by agencies like the DoD.
Don’t Delay
If your organization doesn’t have a POAM in place, it’s time to get started. Meet with your security team and begin building it now. If it appears the task of building, updating and maintaining your system is too heavy of a lift for your team, your POAM can be pointed to outsourced options for certain requirements. If you need assistance, contact the team at Cuick Trac. We’ve helped hundreds of organizations prepare their environments for the CMMC program.
