Streamline your POAM with Standardized Templates
The Totem cybersecurity blog recently introduced Plans of Action and Milestones (POAMs), which document how an organization will resolve or mitigate their cybersecurity vulnerabilities. You can think of a POAM as a set of work instructions to bring your cybersecurity program into compliance with a standard. However, the process of actually completing a POAM requires more than just technical expertise. A level of business acumen and managerial insight is also essential. Whoever develops the POAM must understand the technical, financial, and human resources available to correct security vulnerabilities, along with the organization’s operating constraints and overall attitude towards risk. A standardized POAM template is a useful way to consolidate input from IT personnel and company leadership.
Why Use a Template?
To understand why a POAM template is so important, consider the prevailing mood after a cybersecurity assessment. Unless your organization passed with flying colors, there are likely to be some difficult conversations ahead. Mitigating the identified security risks may be expensive and time-consuming. A POAM template will keep discussions between IT and management narrowly focused on the process of documenting corrective actions, preventing aimless, frantic attempts to fix everything at once. The template also ensures that all the required information is captured in a structured, organized way.
An Internet search will produce many POAM templates, but in most cases, you’ll be fine with one of the free options below. Both have been made available by US government agencies for public use.
- NIST CUI POAM Template (.docx). This template was developed as a supplement to NIST SP 800-171, which instructs non-federal organizations (such as contractors supporting the DoD) on how to secure CUI.
- The FedRAMP POAM Template (.xlsm). The Federal Risk and Authorization Management Program (FedRAMP) is a cybersecurity framework specifically for cloud providers, but anybody is welcome to use their Excel-based POAM
Totem also offers a POAM development module in our Totem™ Cybersecurity Planning Tool. Completing your POAM can be as simple as entering the requisite information into either of those two spreadsheets or in our Tool. However, as we will discover below, simple does not necessarily mean easy. Developing an effective POAM means addressing some tough questions.
Using a fictional ‘ABC Company’ as our example, let’s walk through the NIST CUI POAM template.
A Comprehensive POAM Template Walkthrough
The first leftmost column is labelled ‘weakness’. This will be the easiest part of the template to complete because the information has already been identified during your most recent cybersecurity assessment. That assessment will have produced an assessment report, out-brief, security review, or list of findings/vulnerabilities, describing the deficiencies in your organization’s security posture. Simply copy the list of findings– one per cell– into the ‘weakness’ column.
In our example, ABC Company is a DoD contractor. They were assessed against NIST 800-SP 171 and found deficient in applying the security control described under 3.9.1. For ease of tracking, it’s a good idea to include the safeguard or “control” ID associated with each vulnerability.
The next column is ‘Responsible Office/Organization’. Resist the temptation to assign everything en masse to your IT department. Instead, scrutinize each security vulnerability and give serious thought to who is best equipped to address it. For example, the best way to ‘screen personnel’ for most companies is to conduct background checks– hardly a task for IT. This particular vulnerability would be best addressed by Human Resources, so let’s assign it to them. As a general rule of thumb it’s better to be specific when developing a POAM, so let’s also add a point-of-contact as well.
The ‘Resources’ column will require some careful consideration. What do you need to fix this vulnerability? In some cases, mitigating a security vulnerability is as simple as implementing technology. The resource you would list for those instances could just be a fixed monetary amount—the cost of procuring the technology and installing and configuring it. In other cases, however, fixing a major vulnerability demands significant investments of time, money, and labor. On this template, be specific without getting too far into the details. The Resource Estimate should include a top-level overview of the resources required, not a full business plan crammed into a single Excel cell.
Fortunately for ABC Company, this particular example can be solved simply by procuring background checks. They find a vendor conducting checks for $15 per person, and since ABC Company only hires roughly 3 people per year, they allocate $45 to resolve this vulnerability.
The next two columns are rather straightforward. In ‘Scheduled Completion Date’, analyze the weakness and the resources you’ll need to resolve it. When do you anticipate this issue being fully resolved?
The ‘Milestones with Interim Completion Dates’ adds a little granularity to that estimate. This is where you will break down any steps that you’ll need to take prior to that final resolution. The number of steps will vary considerably depending on which vulnerability you’re working on. The dates may even end up changing. Don’t worry– a POAM is a living, dynamic document.
The final three columns are equally simple. The ‘Changes to Milestones’ field gives you the opportunity to address any changes. Perhaps a milestone completion date has changed, or perhaps you’ve found an entirely different way to address the vulnerability. Any such changes can be listed here.
The ‘How was the weakness identified’ field will almost always refer to whichever assessment, inspection, or security review uncovered the vulnerability.
The ‘Status’ field can be completed with a single-word answer. Is the resolution of this vulnerability still ongoing, or already completed?
And that’s it! After repeating the process for each of your vulnerabilities, you’ll have a comprehensive Plan of Action & Milestones for properly securing your information systems. Title your POAM as ‘version 1’. As things change and milestones are achieved, capture those changes in subsequent versions (version 1.2, version 1.3, etc.).
What if you’d rather use the FedRAMP POAM template? The format is a little more complex, but fortunately FedRAMP has produced their own POAM Template Completion Guide (.pdf). You’re welcome to use either template, but be aware that the FedRAMP format may be overkill for the average small-to-medium business. It requests more information and is less intuitive than the NIST CUI POAM template discussed here.
As for POAM management in our Totem™ Tool, it’s just as simple as the NIST template (even simpler if you don’t like using spreadsheets!) We teach the concepts of corrective action planning and POAM development/management in our monthly Workshops. Or contact us for a free 30-day trial of the software and give the Tool a test drive!
Taking POAMs from Headache to Opportunity
The difficulty of completing POAM templates depends on the severity of your cybersecurity vulnerabilities. The example we used with ABC Company was simple, but real-world findings may be more numerous and more complex. Worse, assessors often hand over long lists of findings and then vanish, leaving a beleaguered organization with no idea of where to begin.
The best advice in those situations is to reach out to qualified experts as early as possible. Completing your POAM template hand-in-hand with our experienced technicians can dramatically reduce the cost, time and effort required to resolve your security deficiencies. With over a decade of hands-on experience, our experts will transform your POAM into a clear, streamlined roadmap to cybersecurity compliance!
