Plan of Action and Milestones (POA&M)

The Plan of Action and Milestones (POA&M) is an organization’s “get well plan” for its cybersecurity program. The POA&M is the summary of individual Corrective Action Plans (CAP) to address cyber risks in an organization. These risks are discovered as a result of a risk assessment, and are inevitable as security controls, threats, vulnerabilities, or organizational mission change over time. These risks represent “gaps” between an expected standard for a cybersecurity program (as defined by standard security control sets, such as NIST SP 800-171 or the CMMC), and the current state of safeguard implementation at an organization. For instance, the NIST SP 800-171 standard requires an organization to implement an audit logging generation, collection, correlation, review, analysis, reporting, and reduction capability to discover anomalous behavior within its network. If the organization doesn’t have that capability, it has a gap between expected and implemented state. This gap represents organizational risk that must be mitigated through corrective action. The organization then develops a CAP for its auditing capability, and adds that CAP to the POA&M. A POA&M may contain multiple CAPs, as there may be (and typically are) multiple deficiencies in an organization’s cybersecurity program at any given time. By way of analogy, consider a get well plan to mend a broken bone. The visit to the Dr.’s office will results in several different corrective actions: first to set the bone, second to stabilize the wound with a cast, third to prescribe medication for pain and infection, fourth to rehab physically, and so on. The sum total of these various CAPs would be the overall “get well plan” for the broken bone, analogous to a cybersecurity POA&M for an organization. Completion of a CAP should be noted on the POA&M, but as a CAP provides information on organizational risk, CAPs should not be deleted from the POA&M. Organizational risks, even when mitigated, should be cataloged in perpetuity, so the organization has an ongoing risk “register”. This register can then be periodically consulted to determine if, despite mitigation, identical or similar risks re-occur over time, which would indicate some sort of systemic issue.