In Defense of the POAM
Life Cycle Case for Tracking an Information System
What is a POAM and how is it useful?
The Plan of Action and Milestones with Dates of Completion is a formal to-do list. The POAM (sometimes POA&M) is a key document and function that facilitates the management of an Information System[i] (IS or System) throughout its Life Cycle. The National Institute of Standards and Technology (NIST) defines the POAM as “a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones."[ii] As a core component of a System Security Plan (SSP), a POAM can be used to track details like the Who, What, Why, How and When of actionable items after an assessment or other System activities.
| Item Identifier | Weakness or Deficiency | Security Control |
| Milestones with Completion Dates | Changes to Milestones | Weakness Deficiency Identified By |
| Point of Contact | Resources Required | Scheduled Completion Date |
| Risk Level (Low/Med/High) | Estimated Cost | Status |
General POAM Criteria
The POAM makes appearances throughout the assessment and authorization process. Managing an Information System under the Cybersecurity Framework (CSF 2.0), you need to “analyze the gaps between the Current and Target Profiles and create an action plan.”[i] Once you create an action plan, or POAM, the next step is to implement the action plan and update the Organizational Profile[ii]. The framework makes clear to mention, “an action plan may have an overall deadline or be ongoing.” Truly, it may be both.
Under CMMC (the most common implementation of the NIST SP 800-171, leveraging the revision 2), the POA&M meets requirement 3.12.2, “Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented.”[iii] The Federal Register’s CMMC final rule (December, 2024) addresses feedback on the POA&M, stating the following, “Changes have been made to the CMMC Program based on public comment. Significant changes include… Provided clarification to distinguish between Plan of Action & Milestones (POA&Ms) and operational plan of action. An operational plan of action does not identify a timeline for remediation and is not the same as a POA&M, which is associated with an assessment for remediation of deficiencies that must be completed within 180 days.”[iv]
Regardless of the guidance an organization follows, or the requirements they comply with, when managing an Information System, the POAM serves as a critical part of a System’s overarching System Security Plan.[v]
The System Development Life Cycle (SDLC)[i], you might be using it, and a POAM can assist you.
|
Technical Processes |
Technical Management Processes |
Organizational Project Enabling Processes |
Agreement Processes |
|
|
|
|
System Life Cycle Processes (source: NIST SP 800-160r1v1: Engineering Trustworthy Secure Systems)
If you happen to be tasked with managing an Information System, there is a good chance your system management approach is a Life Cycle approach, meaning system design through disposal. A “static” configuration is really an archaic concept, POAMs are a great tool to track needs of an Information System as those needs may adapt throughout a Life Cycle.
Whether you have conducted a self-assessment or have been through a more rigorous type of assessment, audit or inspection, there is a good chance a POAM (in addition to all other SSP documents and artifacts) was utilized to navigate that process. In a System Development Life Cycle (SDLC) approach, after assessment and authorization, the next step is to progress to some phase of Ongoing (or Continuous) Monitoring.
The robust Risk Management Framework (RMF) has Ongoing Monitoring baked in as Step 7, Monitor. In this Monitor step (like all steps in the RMF), there are specific tasks such as Ongoing Assessments (Task M-2) and Ongoing Risk Response (Task M-3)[i] which both cite the Plan of Action and Milestones as potential inputs. In the same table that summarizes the steps and expected outcomes in the RMF,[ii] the RMF cites the Cybersecurity Framework. The NIST SP 800-37r2: Risk Management Framework for Information Systems and Organizations, cites the CSF 1.1 control ID.SC-04 in the table, which would then correlate to the new CSF 2.0 control, from the GOVERN function: GV.SC-07: “The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship.” Now, following this correlation, managing a System under the CSF 2.0, and having to account for Supply Chain Risk Management, the POAM remains useful. The same applicable scenario exists for CMMC, as the Final Rule of December 2024 states, “Operational plans of action are the appropriate mechanism to handle Cloud Service Providers (CSPs), External Service Providers (ESPs, not a CSP) and third-party vendors that are no longer compliant with a CMMC requirement.[iii]”
Not limited to Supply Chain Risk Management, post-assessment, a POAM or Action Plan can facilitate implementation of multiple controls in the Cybersecurity Framework. An Operational Plan of Action can help an organization track its re-assessment requirements and fully meet Life Cycle requirements from the NIST SP 800-171r2 under CMMC; and, for the RMF, the updated Plans of Action and Milestones can be used for data inputs when carrying out monitor tasks in Step 7.
Ongoing Uses For A POAM or Operational Plan of Action
|
The NIST Cybersecurity Framework 2.0 |
CMMC / NIST SP 800-171r2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |
NIST SP 800-37r2: Risk Management Framework for Information Systems and Organizations |
|
|
|
It only makes sense to continue using an Operation Plan of Action
Whether you continue to refer to it as a POAM, or you wish to align with CMMC, for example, and drop the milestone date, thus stripping a function and becoming the Operational Plan of Action, managing an Information System inside of an SDLC requires a plan of action (formally named or not). To look at it from a certain perspective: after an assessment, why would you take all the information in a POAM and the function it serves, out of practice when you know you will still have tasks to perform around a System throughout its Life Cycle? Avoiding the rhetorical, I wouldn’t recommend that you do.
Ready for more? Read our guidance on Protecting Controlled Unclassified Information.
[i] NIST SP 800-37r2: Risk Management Framework for Information Systems and Organizations, Ch.3: The Process, 3.7: Monitor: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
[ii] NIST SP 800-37r2: Risk Management Framework for Information Systems and Organizations, Ch.3: The Process, 3.7: Monitor, Table 8: Monitor Tasks and Outcomes: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
[iii] Cybersecurity Maturity Model Certification (CMMC) Program: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program#p-587
[i] NIST Glossary of Term: https://csrc.nist.gov/glossary/term/system_development_life_cycle
[i] The NIST Cybersecurity Framework 2.0: Section 3.1 CSF Profiles: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
[ii] The NIST Cybersecurity Framework 2.0: Section 3.1 CSF Profiles: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
[iii] NIST SP 800-171r2: Security Assessment Family, Requirement: 3.12.2, Discussion section.
[iv] Cybersecurity Maturity Model Certification (CMMC) Program: https://www.federalregister.gov/d/2024-22905/p-2009
[v] NIST Glossary of Terms: https://csrc.nist.gov/glossary/term/system_security_plan
[i] NIST Glossary of Terms: https://csrc.nist.gov/glossary/term/information_system
[ii] NIST Glossary of Terms: https://csrc.nist.gov/glossary/term/poaandm#:~:text=Sources%3A,dates%20for%20the%20milestones.%E2%80%9D%20%5B
