When a Quick Fix Just Isn't Possible
Security standards like NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) provide common frameworks for managing robust security programs. By following these standards, organizations will implement security controls that can help defend Controlled Unclassified Information (CUI). However, practically speaking, not even the most diligent IT team can ensure full compliance with absolutely every requirement all the time.
For example, a security control could rely upon software that has reached end-of-life. With new software licenses often costing thousands of dollars, your company may simply be unable to afford a replacement. Or instead, auditors might observe that your organization needs an alarm system installed, but the only vendor in your city is booked for months. Whatever the case, there will inevitably be times where your organization is non-compliant with one (or more likely, several) security controls.
Rather than simply throwing our hands into the air and admitting defeat, we roll up our sleeves and develop a plan. We need to document the tasks necessary to resolve our security program’s deficiencies, along with the resources required to do it. We’ll also keep track of the milestones that we’ll pass along the way. To hold ourselves accountable– and to let auditors know we’re serious about fixing these issues– those milestones should include estimated completion dates. This document, which actually is required by NIST 800-171’s Basic Security Requirements (3.12.2), is called a Plan of Actions and Milestones, or POA&M.
Developing Your POA&M
There are many ways that deficiencies in our System Security Plan could be identified. The most common is for an internal review or an external auditor to identify weaknesses in your security posture during an inspection. Organizations with more mature security programs, on the other hand, will continuously monitor the efficacy of their security
controls. In the process of doing so, they often discover that some controls are no longer fully effective. Whatever the case, these weaknesses must be tracked in your POA&M document. Each weakness will be addressed with specific corrective actions.
NIST’s sample POA&M template can help your organization start tracking the corrective actions needed to secure your information systems. As you fill out the form, remember that this is no mere administrative exercise– you are recording real-world risks to your business and developing ways to mitigate them!
With that in mind, an effective POA&M must be developed from an organization-wide perspective and should identify the resource requirements for each task. This means the POA&M shouldn’t be the sole responsibility of your IT department. Instead, company leadership should be involved to ensure the necessary resources are allocated and to hold accountable the entities responsible for executing the corrective actions.
Specificity and practicality are important: a good POA&M illustrates serious commitment to resolving your security deficiencies. A weak POA&M, on the other hand, lists vague, aspirational, or unrealistic tasks. An auditor will quickly recognize such documents as a mere ‘band-aid’ and suspect the organization is not taking deficiency remediation seriously.
Milestones are a key part of any effective POA&M. Complex POA&M items may be broken down into distinct phases and have several milestones, while for simple fixes, the only milestone could be the completion date itself. The POA&M will be continuously updated as you make progress towards remediation, making it a living, dynamic document. NIST 800-53r5 recommends (pg. 89) using security automation software to support this process, so consider tracking POA&M items with your ticketing system if you have one or utilizing our Totem Compliance Planning Tool.
The POA&M's Impact
It’s important not to underestimate the importance of the POA&M. NIST warns that “federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.” (NIST 800-171, 3.12.4). In other words, the quality of your POA&M can directly affect your chances of being awarded a government contract.
If your company is preparing to undertake this important process, take advantage of our decade of experience managing NIST-compliant POA&Ms. Our cybersecurity experts lead monthly workshops where we help your organization develop a POA&M that doesn’t just meet compliance requirements but serves as an integrated part of your cybersecurity program.
One final note: sometime within 2021, we will start seeing the first DoD contracts incorporating CMMC requirements. Unlike other security frameworks where auditors excuse security shortfalls when there is a well-crafted POA&M, CMMC is unique. When it comes to meeting the requirements of a certain CMMC level, the decision is binary: you either pass—you have all CMMC Practices fully implemented—or you fail. So, your organization will need to have met all your POA&M Milestones before the CMMC Assessment. However, CMMC auditors will still expect you to maintain a POA&M because at the end of the day, it’s not only about compliance– it’s about taking the practical steps necessary to secure your information systems! So, don’t delete the completed corrective actions out of your POA&M. Maintain the POA&M as a “living” document with a historical record of remediated deficiencies.