Most organizations are not 100% compliant with their regulatory cybersecurity controls. This is understandable in our dynamic, shifting IT operational environments. Employees come and go, the organization constantly has to keep up with changing customer demands, new and improved IT components that make our jobs easier are integrated into our hyperconnected IT systems, and adversaries get savvier every day. Changing threats, vulnerabilities, and impacts means changing risk. How is an organization expected to keep up with it? You keep up with it by monitoring risk and maintaining a cyber “get well” plan to address that risk. That get well plan is known as a Plan of Actions and Milestones (POA&M) in cybersecurity parlance.
Think about cybersecurity in different terms: the health of your IT system. Like your personal health. You go to the doctor for a checkup. The doctor runs a series of diagnostic tests to look for known problems, e.g. blood pressure, reflex issues, ear and throat infections, and so on. If he finds a symptom or a problem, he provides a course of treatment to get you healthy—a prescription, physical therapy, etc. Some courses of treatment may involve multiple aspects—anti-inflammatory, icepacks, rest and elevation, and physical therapy for a sprained ankle, for instance. Just as all humans eventually need some prescription to treat some illness, especially as we get older, all IT systems need regular checkups which often result in a course of treatment. You can think of your Plan of Action and Milestones (POA&M) as the course of treatment for your IT system cyber health.
For IT systems, that doctor checkup goes like this: Once your organization’s System Security Plan (SSP) is in place, and you’ve conducted your Security Control Assessment (the checkup), you’ll discover gaps (symptoms) between your existing policies/technology and the expected requirements. (Don’t have an SSP or haven’t done a Security Control Assessment? Don’t worry, we can help). These gaps are inevitable, for reasons stated above. The important thing, and the thing your regulators and auditors will expect, is to have a plan (your POA&M) in place to address those gaps—a course of treatment.
As an example, let’s say your cybersecurity controls require your user account passwords to expire after 180 days, but your Microsoft Office 365 implementation isn’t configured that way. You have gap. How do you close that gap in a controlled manner? You develop a Correction Action Plan (CAP), containing the following four elements at a minimum:
• Problem and risk description: “Our Microsoft O365 account passwords don’t expire after 180 days; this could allow an adversary who has compromised that account continued access for the better part of 6 months.”
• Corrective Action description: “Reconfigure O365 to require user account passwords to expire after 180 days.”
• Responsible party designation: “Jane Smith, O365 Administrator is responsible for executing this action.”
• Date to be implemented by: “O365 password expiration to be reconfigured within one month from opening date of this CAP.”
You can see the elements here are similar to those in an IT service ticket. In fact, you could use your IT service ticket system to manage all of your CAPs; that is a legitimate strategy. Whatever tool you use to manage CAPs, that tool now houses your Plan of Actions and Milestones, which is the sum total of your CAPs—your “get well” plan, your IT system course of treatment.
The POA&M is also a sort of “risk register” for your system, which changes over time. It’s important to maintain this risk register, to ensure the same old risks don’t keep rearing their ugly heads again and again over time. The POA&M doesn’t just go away when a CAP is finished; it’s a living document that is attached to the IT system. Auditors will expect to see your Plan of Action and Milestones, and expect to see CAPs being addressed in the timeframe specified by the organization. If not, they’ll become suspicious of the organization’s entire cybersecurity program. So it’s vital to maintain a POA&M both for organizational cyber risk management, but for regulatory compliance as well. It’s also vital to integrate the cybersecurity POA&M into other risk management activities of the business to ensure proper resource allocation.
We’ve been managing CAPs and POA&Ms for the DoD and US Federal Government enterprise IT (big ones, like the Centers for Medicare and Medicaid) for over a decade now. Let us bring that experience and know-how to your small- to medium-sized business. We’ll help you develop common sense, cost-effective CAPs, and help manage your cyber risk lifecycle in the POA&M.