For Cloud Service Providers (CSPs) that are on the road toward FedRAMP, or that have already achieved authorization, a Plan of Action and Milestones (POA&M) is a key document to guide continuous monitoring and drive efforts to improve your overall security posture.
Here’s everything you need to know about what this document should include and why it’s so important to the FedRAMP authorization process.
What is a Plan of Action and Milestones (POA&M)?
A FedRAMP POA&M is a detailed document that lists known weaknesses and deficiencies in your organization’s security posture, and outlines specific actions you plan to take to rectify those issues. The document also contains milestones that your organization plans to hit along the way, as well as deadlines for achieving those milestones.
According to guidance published by the U.S. government, the document helps to “facilitate a disciplined and structured approach to tracking risk mitigation activities” and allows the sponsoring federal agency to monitor the organization’s progress.
CSPs pursuing FedRAMP authorization must develop and maintain a POA&M as part of the program’s stringent continuous monitoring (ConMon) requirements.
What Does the Document Look Like?
A typical POA&M worksheet includes a wide breadth of information to help the CSP and its sponsoring agency keep track of known security weaknesses as well as the CSP’s progress toward resolving them. This includes a list of controls with identified weaknesses, a description of those weaknesses, and other key information, such as the date the weakness was identified, when the CSP plans to complete any mitigation activities, and what resources are required to do so. The document also includes status updates, a list of supporting documents, and risk ratings for each control weakness.
CSPs should also keep a log of “closed” POA&M items—i.e., weaknesses that have since been resolved. This not only helps your security and compliance team stay organized, but also allows you to demonstrate that you are taking active steps to improve your security posture and practicing continuous monitoring in accordance with FedRAMP standards.
Why is Continuous Monitoring So Important in FedRAMP?
Continuous monitoring is a core piece of maintaining FedRAMP authorization. For CSPs aiming to work with federal agencies, security shouldn’t be a one-time task that ends after your audit. Federal regulations and the overall threat landscape are constantly changing, as is your organization and its cloud service offerings—and your security program must evolve to keep up.
By continuously monitoring and improving your security program, you can ensure your controls remain effective over time and demonstrate that your organization has a mature risk management posture. This process should include things like:
- Risk assessments;
- Penetration tests and vulnerability scans;
- Reviewing and updating your security controls;
- Annual assessments by a Third-Party Assessment Organization (3PAO); and,
- Ongoing management of the POA&M.
How Does BARR Help?
At BARR Advisory, our team has the expertise and experience to guide you through the initial authorization process and beyond, enabling you to focus on your core service offerings while we ensure your compliance. We assist with System Security Plan (SSP) maintenance, offering a focused approach to maintaining your SSP package, preventing compliance drift, and ensuring your environment remains aligned with FedRAMP requirements post-authorization. We also provide comprehensive monitoring of your environment and operational processes to ensure full compliance with FedRAMP’s ConMon requirements.
Ready to take the next step on your FedRAMP journey? Our team can help you prepare your POA&M and other required documents to put you on the path to success. Contact us today to speak with our experts.