SlideShare a Scribd company logo

Plan of Action and Milestones (POA&M)

Download as DOCX, PDF
GovCloud Network
GovCloud Network

This document is a template for a Plan of Action and Milestones (POA&M) for an information system called <Information System Name>. The POA&M identifies security weaknesses or deficiencies in the system, along with plans and milestones to remediate them. It includes an introduction describing the purpose and scope of the POA&M. A methodology section outlines how the POA&M will be structured, with a worksheet to track weaknesses, points of contact, resources required, milestones and completion dates. Appendices define acronyms and references used in the document.

Technology
1 of 12
POA&M <Information System Name>, <Date> Plan of Action and Milestones (POA&M) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
FedRAMP Plan of Action and Milestones Template Table of Contents ABOUT THIS DOCUMENT................................................................................................................. 4 Who should use this document? ..................................................................................................... 4 Conventions used in this document ................................................................................................ 4 How to contact us............................................................................................................................ 5 1. INTRODUCTION....................................................................................................................... 6 1.1. Purpose............................................................................................................................... 6 1.2. Scope .................................................................................................................................. 6 1.3. System Description ............................................................................................................. 6 2. Methodology .......................................................................................................................... 7 Worksheet 1: System POA&M ................................................................................................... 7 APPENDIX A. ACRONYMS............................................................................................................. 11 APPENDIX B. REFERENCES ........................................................................................................... 12 Draft Version 0.1 Page 2 of 12 Table of Contents
FedRAMP Plan of Action and Milestones Template Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Draft Version 0.1 Page 3 of 12 Document Revision History
FedRAMP Plan of Action and Milestones Template ABOUTTHIS DOCUMENT This document is released in template format. Once populated with content, this document will include detailed information about service provider information system deficiencies and plan of action and milestones for how the deficiencies will be mitigated. Who should use this document? This document is intended to be used by service providers who are applying for an Authorization to Operate (ATO) through the U.S. federal government FedRAMP program. This template provides a sample format for preparing the Plan of Action and Milestones. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements. Italicized text or comments should be replaced with appropriate CSP/Customer/System information. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Draft Version 0.1 Page 4 of 12
FedRAMP Plan of Action and Milestones Template Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. How to contact us If you have questions about something in this document, or how to fill it out, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov o Draft Version 0.1 Page 5 of 12
FedRAMP Plan of Action and Milestones Template 1. INTRODUCTION The plan of action and milestones (POA&M) is one of three key documents in the security authorization package anddescribes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to address the residual vulnerabilities in the information system. POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security controlassessment. 1.1. Purpose The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the findings and recommendations of thesecurity assessment report excluding any remediation actions taken. CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identifiedweaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of riskmitigation resources). The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or afterinformation system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion dates for the milestones. 1.2. Scope The scope of the POA&M includes all management, operational, and technical FedRAMP security controls that are deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or remediation actions are taken to close any existing POA&M items) 1.3. System Description The <Information System Name or Acronym>system has been determined to have a security categorization of <Moderate, or Low>. Instruction: Insert a brief high-level description of the system, business or purpose and system environment. Ensure this section is continuously updated with the latest description from the System Security Plan (SSP). Draft Version 0.1 Page 6 of 12
FedRAMP Plan of Action and Milestones Template 2. Methodology POA&Ms must include all known security weaknesses withinthe cloud information system. Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook, which is comprised of five worksheets including the System POA&M worksheet, and four Quarterly POA&M Update worksheets, one for each quarter of the fiscal year. Worksheet 1: System POA&M The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks FISMA system performance measurements while the bottom portion tracks IT system weaknesses. The top portion of the POA&M tracks the measures in the table below. Measure Details Systems are categorized as Low, Moderate, or High based on a FIPS 199 Risk Impact Level completed FIPS 199/800-60 evaluation. Systems are identified as either Federal or Contractor.Contractor systems are identified as any system that processes or handles GSA- Federal or Contractor owned information on behalf of GSA that are housed at non-GSA System facilities including contractor, consultant, or other third party (includes Federal agencies/departments) sites. The bottom portion of the POA&M worksheet is the corrective action plan used to track IT security weaknesses. This portion of the POA&M worksheet is based on OMBs format requirements. Column A – POAM ID. – A unique identifier must be assigned to each POA&M item. Column B -- Weakness Description.Describe weaknesses identified during the assessment process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking, demonstrate awareness of the weakness, and facilitate the creation of specific milestones to address the weakness. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible for resolving the weakness. A POC must be identified and documented for each weakness reported. Column D -- Resources Required. Identify any resources, obstacles and challenges needed to resolve the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Draft Version 0.1 Page 7 of 12
FedRAMP Plan of Action and Milestones Template A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column F, Milestone Changes. Column E -- Scheduled Completion Date.A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column G, Milestone Changes. Column F – Milestones with Completion Dates.A milestone will identify specific requirements to correct an identified weakness. Each weakness must have a milestone documented that identifies specific actions to correct the weakness with an associated completion date. Milestone with Completion Date entries shall not change once it is recorded. Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent with the SAR. Column H --Status. A status of Completed or Ongoing must be assigned to each weakness. Completed — This status is assigned when all corrective actions have been applied to a weakness such that the weakness is successfully mitigated. The Date of Completion shall be recorded for a completed weakness. Ongoing — This status is assigned to both current weaknesses that have not exceeded the associated Scheduled Completion Date and delayed weaknesses. Vendor provided Plan of Action & Milestone (POA&M) must comply with the following: Use the POA&M template embedded in this document to track and manage POA&Ms. If a finding in the Security Assessment Report (SAR) exists, the finding must be represented as an item on the POA&M. All findings must map back to a finding in the SAR Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non- Conforming Controls need to be revaluated as mitigation techniques may surface that did not previously exist at the time of the decision or countermeasure costs may decrease affecting the original Non-Conforming Controls. Draft Version 0.1 Page 8 of 12
FedRAMP Plan of Action and Milestones Template • False positives must be clearly identified within the SAR, along with supporting evidence (e.g., clean scan report) do not have to be identified in the POA&M. • Each line item on the POA&M must have a unique identifier. This unique identifier should pair with a respective SAR finding. • All high and critical risk findings must be remediated prior to receiving a Provisional Authorization. • Moderate findings shall have a mitigation date within 90 days of Provisional Authorization date. Draft Version 0.1 Page 9 of 12
FedRAMP Plan of Action and Milestones Template Embedded POA&M Spreadsheet (Click to open): FedRAMP_POAM_Te mplate 043012.xlsx Draft Version 0.1 Page 10 of 12
FedRAMP Plan of Action and Milestones Template APPENDIX A. ACRONYMS [NOTE: Update the acronym list based on the acronyms used in this document] AC Authentication Category AP Assurance Profile API Application Programming Interface ATO Authorization to Operate C&A Certification & Accreditation COTS Commercial Off the Shelf AO Authorizing Official FedRAMP Federal Risk and Authorization Management Program FIPS PUB Federal Information Processing Standard Publication FISMA Federal Information Security Management Act GSS General Support System IaaS Infrastructure as a Service (Model) IATO Interim Authorization to Operate ID Identification IT Information Technology LAN Local Area Network NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment POA&M Plan of Action and Milestones POC Point of Contact RA Risk Assessment Rev. Revision SA Security Assessment SAR Security Assessment Report SDLC System Development Life Cycle SP Special Publication SSP System Security Plan VLAN Virtual Local Area Network Draft Version 0.1 Page 11 of 12
FedRAMP Plan of Action and Milestones Template APPENDIX B. REFERENCES [NOTE: Update references as needed to reflect current guidance] Laws and Regulations: Federal Information Security Management Act of 2002, Title III – Information Security, P.L. 107-347. Consolidated Appropriations Act of 2005, Section 522. USA PATRIOT Act (P.L. 107-56), October 2001. OMB Circulars: OMB Circular A-130, Management of Federal Information Resources, November 2000. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006. FIPS Publications: FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Publications: NIST 800-18, Guide for Developing Security Plans for Information Technology Systems NIST 800-26, Security Self-Assessment Guide for Information Technology Systems NIST 800-30, Risk Management Guide for Information Technology Systems NIST 800-34, Contingency Planning Guide for Information Technology Systems NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST 800-47, Security Guide for Interconnecting Information Technology Systems NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems and Organizations NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information System and Organizations NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems to Security NIST 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology NIST 800-64, Security Considerations in the Information System Development Life Cycle Draft Version 0.1 Page 12 of 12

Recommended

PMP Mind Maps Complete
PMP Mind Maps CompletePMP Mind Maps Complete
PMP Mind Maps CompleteKareemBullard1
 
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...
Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...
Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...Dan Barrett
 
Discover the right tools for your Project Management Office (PMO)
Discover the right tools for your Project Management Office (PMO)Discover the right tools for your Project Management Office (PMO)
Discover the right tools for your Project Management Office (PMO)Hussain Bandukwala
 
IT Portfolio Management using Enterprise Architecture and ITIL Service Strategy
IT Portfolio Management using Enterprise Architecture and ITIL Service StrategyIT Portfolio Management using Enterprise Architecture and ITIL Service Strategy
IT Portfolio Management using Enterprise Architecture and ITIL Service StrategyBoonNam Goh
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.pptEmmacuet
 
Zachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureZachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureJoaquin Marques
 

Recommended

PMP Mind Maps Complete
PMP Mind Maps CompletePMP Mind Maps Complete
PMP Mind Maps CompleteKareemBullard1
 
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...
Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...
Everything TRIRIGA users need to know about IBM InterConnect 2016 with Sessio...Dan Barrett
 
Discover the right tools for your Project Management Office (PMO)
Discover the right tools for your Project Management Office (PMO)Discover the right tools for your Project Management Office (PMO)
Discover the right tools for your Project Management Office (PMO)Hussain Bandukwala
 
IT Portfolio Management using Enterprise Architecture and ITIL Service Strategy
IT Portfolio Management using Enterprise Architecture and ITIL Service StrategyIT Portfolio Management using Enterprise Architecture and ITIL Service Strategy
IT Portfolio Management using Enterprise Architecture and ITIL Service StrategyBoonNam Goh
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.pptEmmacuet
 
Zachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureZachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureJoaquin Marques
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamNUS-ISS
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk ManagementMark Scales
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Bryghtpath LLC
 
“Organizational Project Management Maturity Model – An Insider’s Overview”
“Organizational Project Management Maturity Model – An Insider’s Overview”“Organizational Project Management Maturity Model – An Insider’s Overview”
“Organizational Project Management Maturity Model – An Insider’s Overview”Saji Madapat
 
Information Security Committee Presentation Sample
Information Security Committee Presentation SampleInformation Security Committee Presentation Sample
Information Security Committee Presentation Sampleoaes2006
 
Enterprise Architecture Approach Togaf 9
Enterprise Architecture Approach Togaf 9Enterprise Architecture Approach Togaf 9
Enterprise Architecture Approach Togaf 9Prashant Patade
 
Évolution des bonnes pratiques en sécurité de l’information
Évolution des bonnes pratiques en sécurité de l’information Évolution des bonnes pratiques en sécurité de l’information
Évolution des bonnes pratiques en sécurité de l’information ISACA Chapitre de Québec
 
PMP Process Chart - 6th Edition
PMP Process Chart - 6th EditionPMP Process Chart - 6th Edition
PMP Process Chart - 6th EditionNasser Al mohimeed,PMP
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Business Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesBusiness Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesSlideTeam
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0Maganathin Veeraragaloo
 
Togaf 9 template architecture building blocks
Togaf 9 template architecture building blocksTogaf 9 template architecture building blocks
Togaf 9 template architecture building blocksSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Business Continuity Planning Presentation
Business Continuity Planning PresentationBusiness Continuity Planning Presentation
Business Continuity Planning PresentationThe Chamber For a Greater Chapel Hill-Carrboro
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4ShivamSharma909
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019Wellingtone
 
Togaf 9 template Preliminary Phase architecture principles
Togaf 9 template Preliminary Phase architecture principlesTogaf 9 template Preliminary Phase architecture principles
Togaf 9 template Preliminary Phase architecture principlesSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxjuliennehar
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxherthalearmont
 

More Related Content

What's hot

COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamNUS-ISS
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk ManagementMark Scales
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Bryghtpath LLC
 
“Organizational Project Management Maturity Model – An Insider’s Overview”
“Organizational Project Management Maturity Model – An Insider’s Overview”“Organizational Project Management Maturity Model – An Insider’s Overview”
“Organizational Project Management Maturity Model – An Insider’s Overview”Saji Madapat
 
Information Security Committee Presentation Sample
Information Security Committee Presentation SampleInformation Security Committee Presentation Sample
Information Security Committee Presentation Sampleoaes2006
 
Enterprise Architecture Approach Togaf 9
Enterprise Architecture Approach Togaf 9Enterprise Architecture Approach Togaf 9
Enterprise Architecture Approach Togaf 9Prashant Patade
 
Évolution des bonnes pratiques en sécurité de l’information
Évolution des bonnes pratiques en sécurité de l’information Évolution des bonnes pratiques en sécurité de l’information
Évolution des bonnes pratiques en sécurité de l’information ISACA Chapitre de Québec
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Business Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesBusiness Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesSlideTeam
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019Wellingtone
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 

What's hot (20)

COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk Management
 
Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...Assessing the impact of a disruption: Building an effective business impact a...
Assessing the impact of a disruption: Building an effective business impact a...
 
“Organizational Project Management Maturity Model – An Insider’s Overview”
“Organizational Project Management Maturity Model – An Insider’s Overview”“Organizational Project Management Maturity Model – An Insider’s Overview”
“Organizational Project Management Maturity Model – An Insider’s Overview”
 
Information Security Committee Presentation Sample
Information Security Committee Presentation SampleInformation Security Committee Presentation Sample
Information Security Committee Presentation Sample
 
Enterprise Architecture Approach Togaf 9
Enterprise Architecture Approach Togaf 9Enterprise Architecture Approach Togaf 9
Enterprise Architecture Approach Togaf 9
 
Évolution des bonnes pratiques en sécurité de l’information
Évolution des bonnes pratiques en sécurité de l’information Évolution des bonnes pratiques en sécurité de l’information
Évolution des bonnes pratiques en sécurité de l’information
 
PMP Process Chart - 6th Edition
PMP Process Chart - 6th EditionPMP Process Chart - 6th Edition
PMP Process Chart - 6th Edition
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Business Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesBusiness Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation Slides
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
 
Togaf 9 template architecture building blocks
Togaf 9 template architecture building blocksTogaf 9 template architecture building blocks
Togaf 9 template architecture building blocks
 
Business Continuity Planning Presentation
Business Continuity Planning PresentationBusiness Continuity Planning Presentation
Business Continuity Planning Presentation
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 
Cisa domain 4
Cisa domain 4Cisa domain 4
Cisa domain 4
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019
Best PMO in Europe 2019 - Triglav Group | FuturePMO 2019
 
Togaf 9 template Preliminary Phase architecture principles
Togaf 9 template Preliminary Phase architecture principlesTogaf 9 template Preliminary Phase architecture principles
Togaf 9 template Preliminary Phase architecture principles
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
 

Similar to Plan of Action and Milestones (POA&M)

This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxjuliennehar
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxherthalearmont
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxrhetttrevannion
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxmary772
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateGovCloud Network
 
Documentation on bigmarket copy
Documentation on bigmarket copyDocumentation on bigmarket copy
Documentation on bigmarket copyswamypotharaveni
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010Steve Turner
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Thinksoft Global
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdfRaoShahid10
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?Callidus Software
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfSamehMostafa33
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsLindaWatson19
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
 

Similar to Plan of Action and Milestones (POA&M) (20)

This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docx
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
 
Unit iii tqm
Unit iii tqmUnit iii tqm
Unit iii tqm
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) Template
 
Documentation on bigmarket copy
Documentation on bigmarket copyDocumentation on bigmarket copy
Documentation on bigmarket copy
 
Mrd template
Mrd templateMrd template
Mrd template
 
0.3 aim phases_and_documentations
0.3 aim phases_and_documentations0.3 aim phases_and_documentations
0.3 aim phases_and_documentations
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdf
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdf
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy Applications
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
Blue book
Blue bookBlue book
Blue book
 
Is 4 th
Is 4 thIs 4 th
Is 4 th
 

More from GovCloud Network

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeGovCloud Network
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessGovCloud Network
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture GovCloud Network
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonGovCloud Network
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher PageGovCloud Network
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanGovCloud Network
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)GovCloud Network
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonGovCloud Network
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentGovCloud Network
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013GovCloud Network
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013GovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...GovCloud Network
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)GovCloud Network
 

More from GovCloud Network (20)

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmark
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for me
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT Change
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate Success
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John Brennan
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview Presentation
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 

Recently uploaded

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Recently uploaded (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Plan of Action and Milestones (POA&M)

  • 1. POA&M <Information System Name>, <Date> Plan of Action and Milestones (POA&M) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
  • 2. FedRAMP Plan of Action and Milestones Template Table of Contents ABOUT THIS DOCUMENT................................................................................................................. 4 Who should use this document? ..................................................................................................... 4 Conventions used in this document ................................................................................................ 4 How to contact us............................................................................................................................ 5 1. INTRODUCTION....................................................................................................................... 6 1.1. Purpose............................................................................................................................... 6 1.2. Scope .................................................................................................................................. 6 1.3. System Description ............................................................................................................. 6 2. Methodology .......................................................................................................................... 7 Worksheet 1: System POA&M ................................................................................................... 7 APPENDIX A. ACRONYMS............................................................................................................. 11 APPENDIX B. REFERENCES ........................................................................................................... 12 Draft Version 0.1 Page 2 of 12 Table of Contents
  • 3. FedRAMP Plan of Action and Milestones Template Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Draft Version 0.1 Page 3 of 12 Document Revision History
  • 4. FedRAMP Plan of Action and Milestones Template ABOUTTHIS DOCUMENT This document is released in template format. Once populated with content, this document will include detailed information about service provider information system deficiencies and plan of action and milestones for how the deficiencies will be mitigated. Who should use this document? This document is intended to be used by service providers who are applying for an Authorization to Operate (ATO) through the U.S. federal government FedRAMP program. This template provides a sample format for preparing the Plan of Action and Milestones. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements. Italicized text or comments should be replaced with appropriate CSP/Customer/System information. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Draft Version 0.1 Page 4 of 12
  • 5. FedRAMP Plan of Action and Milestones Template Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. How to contact us If you have questions about something in this document, or how to fill it out, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov o Draft Version 0.1 Page 5 of 12
  • 6. FedRAMP Plan of Action and Milestones Template 1. INTRODUCTION The plan of action and milestones (POA&M) is one of three key documents in the security authorization package anddescribes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to address the residual vulnerabilities in the information system. POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security controlassessment. 1.1. Purpose The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the findings and recommendations of thesecurity assessment report excluding any remediation actions taken. CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identifiedweaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of riskmitigation resources). The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or afterinformation system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion dates for the milestones. 1.2. Scope The scope of the POA&M includes all management, operational, and technical FedRAMP security controls that are deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or remediation actions are taken to close any existing POA&M items) 1.3. System Description The <Information System Name or Acronym>system has been determined to have a security categorization of <Moderate, or Low>. Instruction: Insert a brief high-level description of the system, business or purpose and system environment. Ensure this section is continuously updated with the latest description from the System Security Plan (SSP). Draft Version 0.1 Page 6 of 12
  • 7. FedRAMP Plan of Action and Milestones Template 2. Methodology POA&Ms must include all known security weaknesses withinthe cloud information system. Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook, which is comprised of five worksheets including the System POA&M worksheet, and four Quarterly POA&M Update worksheets, one for each quarter of the fiscal year. Worksheet 1: System POA&M The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks FISMA system performance measurements while the bottom portion tracks IT system weaknesses. The top portion of the POA&M tracks the measures in the table below. Measure Details Systems are categorized as Low, Moderate, or High based on a FIPS 199 Risk Impact Level completed FIPS 199/800-60 evaluation. Systems are identified as either Federal or Contractor.Contractor systems are identified as any system that processes or handles GSA- Federal or Contractor owned information on behalf of GSA that are housed at non-GSA System facilities including contractor, consultant, or other third party (includes Federal agencies/departments) sites. The bottom portion of the POA&M worksheet is the corrective action plan used to track IT security weaknesses. This portion of the POA&M worksheet is based on OMBs format requirements. Column A – POAM ID. – A unique identifier must be assigned to each POA&M item. Column B -- Weakness Description.Describe weaknesses identified during the assessment process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking, demonstrate awareness of the weakness, and facilitate the creation of specific milestones to address the weakness. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible for resolving the weakness. A POC must be identified and documented for each weakness reported. Column D -- Resources Required. Identify any resources, obstacles and challenges needed to resolve the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Draft Version 0.1 Page 7 of 12
  • 8. FedRAMP Plan of Action and Milestones Template A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column F, Milestone Changes. Column E -- Scheduled Completion Date.A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column G, Milestone Changes. Column F – Milestones with Completion Dates.A milestone will identify specific requirements to correct an identified weakness. Each weakness must have a milestone documented that identifies specific actions to correct the weakness with an associated completion date. Milestone with Completion Date entries shall not change once it is recorded. Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent with the SAR. Column H --Status. A status of Completed or Ongoing must be assigned to each weakness. Completed — This status is assigned when all corrective actions have been applied to a weakness such that the weakness is successfully mitigated. The Date of Completion shall be recorded for a completed weakness. Ongoing — This status is assigned to both current weaknesses that have not exceeded the associated Scheduled Completion Date and delayed weaknesses. Vendor provided Plan of Action & Milestone (POA&M) must comply with the following: Use the POA&M template embedded in this document to track and manage POA&Ms. If a finding in the Security Assessment Report (SAR) exists, the finding must be represented as an item on the POA&M. All findings must map back to a finding in the SAR Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non- Conforming Controls need to be revaluated as mitigation techniques may surface that did not previously exist at the time of the decision or countermeasure costs may decrease affecting the original Non-Conforming Controls. Draft Version 0.1 Page 8 of 12
  • 9. FedRAMP Plan of Action and Milestones Template • False positives must be clearly identified within the SAR, along with supporting evidence (e.g., clean scan report) do not have to be identified in the POA&M. • Each line item on the POA&M must have a unique identifier. This unique identifier should pair with a respective SAR finding. • All high and critical risk findings must be remediated prior to receiving a Provisional Authorization. • Moderate findings shall have a mitigation date within 90 days of Provisional Authorization date. Draft Version 0.1 Page 9 of 12
  • 10. FedRAMP Plan of Action and Milestones Template Embedded POA&M Spreadsheet (Click to open): FedRAMP_POAM_Te mplate 043012.xlsx Draft Version 0.1 Page 10 of 12
  • 11. FedRAMP Plan of Action and Milestones Template APPENDIX A. ACRONYMS [NOTE: Update the acronym list based on the acronyms used in this document] AC Authentication Category AP Assurance Profile API Application Programming Interface ATO Authorization to Operate C&A Certification & Accreditation COTS Commercial Off the Shelf AO Authorizing Official FedRAMP Federal Risk and Authorization Management Program FIPS PUB Federal Information Processing Standard Publication FISMA Federal Information Security Management Act GSS General Support System IaaS Infrastructure as a Service (Model) IATO Interim Authorization to Operate ID Identification IT Information Technology LAN Local Area Network NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment POA&M Plan of Action and Milestones POC Point of Contact RA Risk Assessment Rev. Revision SA Security Assessment SAR Security Assessment Report SDLC System Development Life Cycle SP Special Publication SSP System Security Plan VLAN Virtual Local Area Network Draft Version 0.1 Page 11 of 12
  • 12. FedRAMP Plan of Action and Milestones Template APPENDIX B. REFERENCES [NOTE: Update references as needed to reflect current guidance] Laws and Regulations: Federal Information Security Management Act of 2002, Title III – Information Security, P.L. 107-347. Consolidated Appropriations Act of 2005, Section 522. USA PATRIOT Act (P.L. 107-56), October 2001. OMB Circulars: OMB Circular A-130, Management of Federal Information Resources, November 2000. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006. FIPS Publications: FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Publications: NIST 800-18, Guide for Developing Security Plans for Information Technology Systems NIST 800-26, Security Self-Assessment Guide for Information Technology Systems NIST 800-30, Risk Management Guide for Information Technology Systems NIST 800-34, Contingency Planning Guide for Information Technology Systems NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST 800-47, Security Guide for Interconnecting Information Technology Systems NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems and Organizations NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information System and Organizations NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems to Security NIST 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology NIST 800-64, Security Considerations in the Information System Development Life Cycle Draft Version 0.1 Page 12 of 12