SlideShare ist ein Scribd-Unternehmen logo

Plan of Action and Milestones (POA&M)

Als DOCX, PDF herunterladen
GovCloud Network
GovCloud Network

This document is a template for a Plan of Action and Milestones (POA&M) for an information system called <Information System Name>. The POA&M identifies security weaknesses or deficiencies in the system, along with plans and milestones to remediate them. It includes an introduction describing the purpose and scope of the POA&M. A methodology section outlines how the POA&M will be structured, with a worksheet to track weaknesses, points of contact, resources required, milestones and completion dates. Appendices define acronyms and references used in the document.

Technologie
1 von 12
POA&M <Information System Name>, <Date> Plan of Action and Milestones (POA&M) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
FedRAMP Plan of Action and Milestones Template Table of Contents ABOUT THIS DOCUMENT................................................................................................................. 4 Who should use this document? ..................................................................................................... 4 Conventions used in this document ................................................................................................ 4 How to contact us............................................................................................................................ 5 1. INTRODUCTION....................................................................................................................... 6 1.1. Purpose............................................................................................................................... 6 1.2. Scope .................................................................................................................................. 6 1.3. System Description ............................................................................................................. 6 2. Methodology .......................................................................................................................... 7 Worksheet 1: System POA&M ................................................................................................... 7 APPENDIX A. ACRONYMS............................................................................................................. 11 APPENDIX B. REFERENCES ........................................................................................................... 12 Draft Version 0.1 Page 2 of 12 Table of Contents
FedRAMP Plan of Action and Milestones Template Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Draft Version 0.1 Page 3 of 12 Document Revision History
FedRAMP Plan of Action and Milestones Template ABOUTTHIS DOCUMENT This document is released in template format. Once populated with content, this document will include detailed information about service provider information system deficiencies and plan of action and milestones for how the deficiencies will be mitigated. Who should use this document? This document is intended to be used by service providers who are applying for an Authorization to Operate (ATO) through the U.S. federal government FedRAMP program. This template provides a sample format for preparing the Plan of Action and Milestones. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements. Italicized text or comments should be replaced with appropriate CSP/Customer/System information. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Draft Version 0.1 Page 4 of 12
FedRAMP Plan of Action and Milestones Template Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. How to contact us If you have questions about something in this document, or how to fill it out, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov o Draft Version 0.1 Page 5 of 12
FedRAMP Plan of Action and Milestones Template 1. INTRODUCTION The plan of action and milestones (POA&M) is one of three key documents in the security authorization package anddescribes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to address the residual vulnerabilities in the information system. POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security controlassessment. 1.1. Purpose The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the findings and recommendations of thesecurity assessment report excluding any remediation actions taken. CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identifiedweaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of riskmitigation resources). The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or afterinformation system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion dates for the milestones. 1.2. Scope The scope of the POA&M includes all management, operational, and technical FedRAMP security controls that are deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or remediation actions are taken to close any existing POA&M items) 1.3. System Description The <Information System Name or Acronym>system has been determined to have a security categorization of <Moderate, or Low>. Instruction: Insert a brief high-level description of the system, business or purpose and system environment. Ensure this section is continuously updated with the latest description from the System Security Plan (SSP). Draft Version 0.1 Page 6 of 12
FedRAMP Plan of Action and Milestones Template 2. Methodology POA&Ms must include all known security weaknesses withinthe cloud information system. Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook, which is comprised of five worksheets including the System POA&M worksheet, and four Quarterly POA&M Update worksheets, one for each quarter of the fiscal year. Worksheet 1: System POA&M The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks FISMA system performance measurements while the bottom portion tracks IT system weaknesses. The top portion of the POA&M tracks the measures in the table below. Measure Details Systems are categorized as Low, Moderate, or High based on a FIPS 199 Risk Impact Level completed FIPS 199/800-60 evaluation. Systems are identified as either Federal or Contractor.Contractor systems are identified as any system that processes or handles GSA- Federal or Contractor owned information on behalf of GSA that are housed at non-GSA System facilities including contractor, consultant, or other third party (includes Federal agencies/departments) sites. The bottom portion of the POA&M worksheet is the corrective action plan used to track IT security weaknesses. This portion of the POA&M worksheet is based on OMBs format requirements. Column A – POAM ID. – A unique identifier must be assigned to each POA&M item. Column B -- Weakness Description.Describe weaknesses identified during the assessment process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking, demonstrate awareness of the weakness, and facilitate the creation of specific milestones to address the weakness. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible for resolving the weakness. A POC must be identified and documented for each weakness reported. Column D -- Resources Required. Identify any resources, obstacles and challenges needed to resolve the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Draft Version 0.1 Page 7 of 12
FedRAMP Plan of Action and Milestones Template A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column F, Milestone Changes. Column E -- Scheduled Completion Date.A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column G, Milestone Changes. Column F – Milestones with Completion Dates.A milestone will identify specific requirements to correct an identified weakness. Each weakness must have a milestone documented that identifies specific actions to correct the weakness with an associated completion date. Milestone with Completion Date entries shall not change once it is recorded. Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent with the SAR. Column H --Status. A status of Completed or Ongoing must be assigned to each weakness. Completed — This status is assigned when all corrective actions have been applied to a weakness such that the weakness is successfully mitigated. The Date of Completion shall be recorded for a completed weakness. Ongoing — This status is assigned to both current weaknesses that have not exceeded the associated Scheduled Completion Date and delayed weaknesses. Vendor provided Plan of Action & Milestone (POA&M) must comply with the following: Use the POA&M template embedded in this document to track and manage POA&Ms. If a finding in the Security Assessment Report (SAR) exists, the finding must be represented as an item on the POA&M. All findings must map back to a finding in the SAR Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non- Conforming Controls need to be revaluated as mitigation techniques may surface that did not previously exist at the time of the decision or countermeasure costs may decrease affecting the original Non-Conforming Controls. Draft Version 0.1 Page 8 of 12
FedRAMP Plan of Action and Milestones Template • False positives must be clearly identified within the SAR, along with supporting evidence (e.g., clean scan report) do not have to be identified in the POA&M. • Each line item on the POA&M must have a unique identifier. This unique identifier should pair with a respective SAR finding. • All high and critical risk findings must be remediated prior to receiving a Provisional Authorization. • Moderate findings shall have a mitigation date within 90 days of Provisional Authorization date. Draft Version 0.1 Page 9 of 12
FedRAMP Plan of Action and Milestones Template Embedded POA&M Spreadsheet (Click to open): FedRAMP_POAM_Te mplate 043012.xlsx Draft Version 0.1 Page 10 of 12
FedRAMP Plan of Action and Milestones Template APPENDIX A. ACRONYMS [NOTE: Update the acronym list based on the acronyms used in this document] AC Authentication Category AP Assurance Profile API Application Programming Interface ATO Authorization to Operate C&A Certification & Accreditation COTS Commercial Off the Shelf AO Authorizing Official FedRAMP Federal Risk and Authorization Management Program FIPS PUB Federal Information Processing Standard Publication FISMA Federal Information Security Management Act GSS General Support System IaaS Infrastructure as a Service (Model) IATO Interim Authorization to Operate ID Identification IT Information Technology LAN Local Area Network NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment POA&M Plan of Action and Milestones POC Point of Contact RA Risk Assessment Rev. Revision SA Security Assessment SAR Security Assessment Report SDLC System Development Life Cycle SP Special Publication SSP System Security Plan VLAN Virtual Local Area Network Draft Version 0.1 Page 11 of 12
FedRAMP Plan of Action and Milestones Template APPENDIX B. REFERENCES [NOTE: Update references as needed to reflect current guidance] Laws and Regulations: Federal Information Security Management Act of 2002, Title III – Information Security, P.L. 107-347. Consolidated Appropriations Act of 2005, Section 522. USA PATRIOT Act (P.L. 107-56), October 2001. OMB Circulars: OMB Circular A-130, Management of Federal Information Resources, November 2000. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006. FIPS Publications: FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Publications: NIST 800-18, Guide for Developing Security Plans for Information Technology Systems NIST 800-26, Security Self-Assessment Guide for Information Technology Systems NIST 800-30, Risk Management Guide for Information Technology Systems NIST 800-34, Contingency Planning Guide for Information Technology Systems NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST 800-47, Security Guide for Interconnecting Information Technology Systems NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems and Organizations NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information System and Organizations NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems to Security NIST 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology NIST 800-64, Security Considerations in the Information System Development Life Cycle Draft Version 0.1 Page 12 of 12

Empfohlen

supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...
supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...
supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...shanavas chithara
 
DRI Coal 2016.pdf
DRI Coal 2016.pdfDRI Coal 2016.pdf
DRI Coal 2016.pdfHindenburg Research
 
DHS 4300A Sensitive System Handbook Attachment E
DHS 4300A Sensitive System Handbook Attachment EDHS 4300A Sensitive System Handbook Attachment E
DHS 4300A Sensitive System Handbook Attachment EDavid Sweigert
 
Action Road Map Planning Tool
Action Road Map Planning ToolAction Road Map Planning Tool
Action Road Map Planning ToolEveryday Democracy
 
Nancy Morgan bmd overview
Nancy Morgan bmd overviewNancy Morgan bmd overview
Nancy Morgan bmd overviewRoyal United Services Institute for Defence and Security Studies
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxjuliennehar
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxherthalearmont
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxrhetttrevannion
 

Empfohlen

supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...
supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...
supreme court order SLP( NO.12269 OF 2014 FOR building tax 2017 order revenue...shanavas chithara
 
DRI Coal 2016.pdf
DRI Coal 2016.pdfDRI Coal 2016.pdf
DRI Coal 2016.pdfHindenburg Research
 
DHS 4300A Sensitive System Handbook Attachment E
DHS 4300A Sensitive System Handbook Attachment EDHS 4300A Sensitive System Handbook Attachment E
DHS 4300A Sensitive System Handbook Attachment EDavid Sweigert
 
Action Road Map Planning Tool
Action Road Map Planning ToolAction Road Map Planning Tool
Action Road Map Planning ToolEveryday Democracy
 
Nancy Morgan bmd overview
Nancy Morgan bmd overviewNancy Morgan bmd overview
Nancy Morgan bmd overviewRoyal United Services Institute for Defence and Security Studies
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxjuliennehar
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxherthalearmont
 
This sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxThis sample template is designed to assist the user in performing .docx
This sample template is designed to assist the user in performing .docxrhetttrevannion
 
Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxmary772
 
Unit iii tqm
Unit iii tqmUnit iii tqm
Unit iii tqmV.V.RAMANA MURTHY
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateGovCloud Network
 
Documentation on bigmarket copy
Documentation on bigmarket copyDocumentation on bigmarket copy
Documentation on bigmarket copyswamypotharaveni
 
Mrd template
Mrd templateMrd template
Mrd templatePrinceGhimire1
 
0.3 aim phases_and_documentations
0.3 aim phases_and_documentations0.3 aim phases_and_documentations
0.3 aim phases_and_documentationsOracle HRMS Functional Consultant
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010Steve Turner
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Thinksoft Global
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdfRaoShahid10
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?Callidus Software
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfSamehMostafa33
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsLindaWatson19
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
 
Blue book
Blue bookBlue book
Blue bookanjum mujawar mujawar
 
Is 4 th
Is 4 thIs 4 th
Is 4 thsmumbahelp
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of BehaviorGovCloud Network
 
Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Michael Wigley
 
Mobile store management
Mobile store management Mobile store management
Mobile store management Rupendra Verma
 
IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 

Weitere ähnliche Inhalte

Ähnlich wie Plan of Action and Milestones (POA&M)

Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxmary772
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateGovCloud Network
 
Documentation on bigmarket copy
Documentation on bigmarket copyDocumentation on bigmarket copy
Documentation on bigmarket copyswamypotharaveni
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010Steve Turner
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Thinksoft Global
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdfRaoShahid10
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?Callidus Software
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfSamehMostafa33
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsLindaWatson19
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
 
Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Michael Wigley
 
Mobile store management
Mobile store management Mobile store management
Mobile store management Rupendra Verma
 

Ähnlich wie Plan of Action and Milestones (POA&M) (20)

Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
 
Unit iii tqm
Unit iii tqmUnit iii tqm
Unit iii tqm
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) Template
 
Documentation on bigmarket copy
Documentation on bigmarket copyDocumentation on bigmarket copy
Documentation on bigmarket copy
 
Mrd template
Mrd templateMrd template
Mrd template
 
0.3 aim phases_and_documentations
0.3 aim phases_and_documentations0.3 aim phases_and_documentations
0.3 aim phases_and_documentations
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdf
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdf
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy Applications
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
Blue book
Blue bookBlue book
Blue book
 
Is 4 th
Is 4 thIs 4 th
Is 4 th
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of Behavior
 
Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Basic-Project-Estimation-1999
Basic-Project-Estimation-1999
 
Mobile store management
Mobile store management Mobile store management
Mobile store management
 

Mehr von GovCloud Network

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeGovCloud Network
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessGovCloud Network
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture GovCloud Network
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonGovCloud Network
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher PageGovCloud Network
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanGovCloud Network
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)GovCloud Network
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonGovCloud Network
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentGovCloud Network
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013GovCloud Network
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013GovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...GovCloud Network
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)GovCloud Network
 

Mehr von GovCloud Network (20)

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmark
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for me
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT Change
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate Success
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John Brennan
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview Presentation
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 

Kürzlich hochgeladen

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Kürzlich hochgeladen (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Plan of Action and Milestones (POA&M)

  • 1. POA&M <Information System Name>, <Date> Plan of Action and Milestones (POA&M) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
  • 2. FedRAMP Plan of Action and Milestones Template Table of Contents ABOUT THIS DOCUMENT................................................................................................................. 4 Who should use this document? ..................................................................................................... 4 Conventions used in this document ................................................................................................ 4 How to contact us............................................................................................................................ 5 1. INTRODUCTION....................................................................................................................... 6 1.1. Purpose............................................................................................................................... 6 1.2. Scope .................................................................................................................................. 6 1.3. System Description ............................................................................................................. 6 2. Methodology .......................................................................................................................... 7 Worksheet 1: System POA&M ................................................................................................... 7 APPENDIX A. ACRONYMS............................................................................................................. 11 APPENDIX B. REFERENCES ........................................................................................................... 12 Draft Version 0.1 Page 2 of 12 Table of Contents
  • 3. FedRAMP Plan of Action and Milestones Template Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Draft Version 0.1 Page 3 of 12 Document Revision History
  • 4. FedRAMP Plan of Action and Milestones Template ABOUTTHIS DOCUMENT This document is released in template format. Once populated with content, this document will include detailed information about service provider information system deficiencies and plan of action and milestones for how the deficiencies will be mitigated. Who should use this document? This document is intended to be used by service providers who are applying for an Authorization to Operate (ATO) through the U.S. federal government FedRAMP program. This template provides a sample format for preparing the Plan of Action and Milestones. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements. Italicized text or comments should be replaced with appropriate CSP/Customer/System information. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Draft Version 0.1 Page 4 of 12
  • 5. FedRAMP Plan of Action and Milestones Template Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. How to contact us If you have questions about something in this document, or how to fill it out, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov o Draft Version 0.1 Page 5 of 12
  • 6. FedRAMP Plan of Action and Milestones Template 1. INTRODUCTION The plan of action and milestones (POA&M) is one of three key documents in the security authorization package anddescribes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to address the residual vulnerabilities in the information system. POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security controlassessment. 1.1. Purpose The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the findings and recommendations of thesecurity assessment report excluding any remediation actions taken. CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identifiedweaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of riskmitigation resources). The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or afterinformation system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion dates for the milestones. 1.2. Scope The scope of the POA&M includes all management, operational, and technical FedRAMP security controls that are deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or remediation actions are taken to close any existing POA&M items) 1.3. System Description The <Information System Name or Acronym>system has been determined to have a security categorization of <Moderate, or Low>. Instruction: Insert a brief high-level description of the system, business or purpose and system environment. Ensure this section is continuously updated with the latest description from the System Security Plan (SSP). Draft Version 0.1 Page 6 of 12
  • 7. FedRAMP Plan of Action and Milestones Template 2. Methodology POA&Ms must include all known security weaknesses withinthe cloud information system. Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook, which is comprised of five worksheets including the System POA&M worksheet, and four Quarterly POA&M Update worksheets, one for each quarter of the fiscal year. Worksheet 1: System POA&M The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks FISMA system performance measurements while the bottom portion tracks IT system weaknesses. The top portion of the POA&M tracks the measures in the table below. Measure Details Systems are categorized as Low, Moderate, or High based on a FIPS 199 Risk Impact Level completed FIPS 199/800-60 evaluation. Systems are identified as either Federal or Contractor.Contractor systems are identified as any system that processes or handles GSA- Federal or Contractor owned information on behalf of GSA that are housed at non-GSA System facilities including contractor, consultant, or other third party (includes Federal agencies/departments) sites. The bottom portion of the POA&M worksheet is the corrective action plan used to track IT security weaknesses. This portion of the POA&M worksheet is based on OMBs format requirements. Column A – POAM ID. – A unique identifier must be assigned to each POA&M item. Column B -- Weakness Description.Describe weaknesses identified during the assessment process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking, demonstrate awareness of the weakness, and facilitate the creation of specific milestones to address the weakness. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible for resolving the weakness. A POC must be identified and documented for each weakness reported. Column D -- Resources Required. Identify any resources, obstacles and challenges needed to resolve the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Draft Version 0.1 Page 7 of 12
  • 8. FedRAMP Plan of Action and Milestones Template A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column F, Milestone Changes. Column E -- Scheduled Completion Date.A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column G, Milestone Changes. Column F – Milestones with Completion Dates.A milestone will identify specific requirements to correct an identified weakness. Each weakness must have a milestone documented that identifies specific actions to correct the weakness with an associated completion date. Milestone with Completion Date entries shall not change once it is recorded. Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent with the SAR. Column H --Status. A status of Completed or Ongoing must be assigned to each weakness. Completed — This status is assigned when all corrective actions have been applied to a weakness such that the weakness is successfully mitigated. The Date of Completion shall be recorded for a completed weakness. Ongoing — This status is assigned to both current weaknesses that have not exceeded the associated Scheduled Completion Date and delayed weaknesses. Vendor provided Plan of Action & Milestone (POA&M) must comply with the following: Use the POA&M template embedded in this document to track and manage POA&Ms. If a finding in the Security Assessment Report (SAR) exists, the finding must be represented as an item on the POA&M. All findings must map back to a finding in the SAR Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non- Conforming Controls need to be revaluated as mitigation techniques may surface that did not previously exist at the time of the decision or countermeasure costs may decrease affecting the original Non-Conforming Controls. Draft Version 0.1 Page 8 of 12
  • 9. FedRAMP Plan of Action and Milestones Template • False positives must be clearly identified within the SAR, along with supporting evidence (e.g., clean scan report) do not have to be identified in the POA&M. • Each line item on the POA&M must have a unique identifier. This unique identifier should pair with a respective SAR finding. • All high and critical risk findings must be remediated prior to receiving a Provisional Authorization. • Moderate findings shall have a mitigation date within 90 days of Provisional Authorization date. Draft Version 0.1 Page 9 of 12
  • 10. FedRAMP Plan of Action and Milestones Template Embedded POA&M Spreadsheet (Click to open): FedRAMP_POAM_Te mplate 043012.xlsx Draft Version 0.1 Page 10 of 12
  • 11. FedRAMP Plan of Action and Milestones Template APPENDIX A. ACRONYMS [NOTE: Update the acronym list based on the acronyms used in this document] AC Authentication Category AP Assurance Profile API Application Programming Interface ATO Authorization to Operate C&A Certification & Accreditation COTS Commercial Off the Shelf AO Authorizing Official FedRAMP Federal Risk and Authorization Management Program FIPS PUB Federal Information Processing Standard Publication FISMA Federal Information Security Management Act GSS General Support System IaaS Infrastructure as a Service (Model) IATO Interim Authorization to Operate ID Identification IT Information Technology LAN Local Area Network NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment POA&M Plan of Action and Milestones POC Point of Contact RA Risk Assessment Rev. Revision SA Security Assessment SAR Security Assessment Report SDLC System Development Life Cycle SP Special Publication SSP System Security Plan VLAN Virtual Local Area Network Draft Version 0.1 Page 11 of 12
  • 12. FedRAMP Plan of Action and Milestones Template APPENDIX B. REFERENCES [NOTE: Update references as needed to reflect current guidance] Laws and Regulations: Federal Information Security Management Act of 2002, Title III – Information Security, P.L. 107-347. Consolidated Appropriations Act of 2005, Section 522. USA PATRIOT Act (P.L. 107-56), October 2001. OMB Circulars: OMB Circular A-130, Management of Federal Information Resources, November 2000. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006. FIPS Publications: FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Publications: NIST 800-18, Guide for Developing Security Plans for Information Technology Systems NIST 800-26, Security Self-Assessment Guide for Information Technology Systems NIST 800-30, Risk Management Guide for Information Technology Systems NIST 800-34, Contingency Planning Guide for Information Technology Systems NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST 800-47, Security Guide for Interconnecting Information Technology Systems NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems and Organizations NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information System and Organizations NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems to Security NIST 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology NIST 800-64, Security Considerations in the Information System Development Life Cycle Draft Version 0.1 Page 12 of 12