The Federal Information Security Management Act (FISMA) requires every Federal department and agency develop and implement a POA&M process and to periodically report progress to OMB and Congress.
The weakness description should always be consistent with the results of the assessment. POA&M weaknesses should provide sufficient information to facilitate oversight and progress tracking. Each weakness should be associated with a security boundary, security control or program.
Each POA&M should include an estimate of the cost to remediate. The identification of adequate resources and funding to resolve weaknesses is critical in prioritization for decision makers such as system owners and authorizing officials. Updating POA&M costs/resources is an essential part of continuous monitoring.
It is imperative that during continuous monitoring the point of contact (POC) assigned to the POA&M is regularly checked to see if the POC is still valid and capable of resolving the POA&M. If there is a delay, there needs to be justification. However, if a POA&M cannot be remediated, then a risk based decision memo would need to be drafted and signed by decision makers.
CyberSuite POA&M Report
We will give you an accurate snapshot of program and system level status.
- Scheduled completion dates for resolving weaknesses are reasonable and takes into consideration the time necessary to address each milestone.
- Each POA&M includes milestones that outline the specific steps that are necessary to correct the identified weaknesses. All milestones include a scheduled completion date, POC, milestone description, planned start/finish, and actual start date.
- Any POA&M that is delayed will have a delay reason. We can also draft risk acceptance memos for any POA&M’s that cannot be feasibly remediated.