POA&M

POA&M Articles:

 

What is the POA&M module?

POA&M stands for Plan of Actions and Milestones.  This plan, required by NIST 800-171, is where the organization manages Corrective Action Plans (CAP) for deficient cybersecurity capabilities.  CAPs can address a single deficient control, or groups of related controls.  The sum total of all CAPs constitute the POA&M.

 

 

How do I build a Plan of Action & Milestones using the POA&M module?

The POA&M consists of a group of Corrective Action Plans (CAP), so you actually build CAPs in the POA&M module.  CAPs can be built in one of two ways:

  1. Direct from the POA&M page using the Create Corrective Action button: 
  2. Using the Add to POA&M workflow from the Control Status page:

See our POA&M Tutorial for a demonstration of how these methods can be used to build a CAP and populate the POA&M.

 

 

What's the difference between Control Status and POA&M?

The Control Status page is used to manage the organization's security control assessment, System Security Plan (SSP), shared responsibility identification, and associate artifacts and evidence with a security control.

The POA&M page is used to manage the Corrective Action Plans (CAP) with which the organization remediates cybersecurity deficiencies. 

CAPs are associated with Non-compliant Organization Actions listed on the Control Status page, and CAPs can be created from the Control Status page, so there is quite a bit of interrelation between the two pages. 

 

 

How do I create a Corrective Action Plan (CAP)?

See the How do I build a POA&M answer above.

 

 

How do I delete a Corrective Action Plan (CAP)?

In the POA&M page, click the three vertical dot icon on the CAP you wish to delete, and select Delete Correction Action:

In the pop up, Click OK to confirm the deletion:

Deleting a CAP does not affect the status of a Non-compliant Organization Action (OA), unless that OA was associated with another CAP that is in "Complete" status.  In this case, the OA status will be changed to "Compliant".

 

 

How do I complete a Corrective Action Plan (CAP)?

CAPs are automatically marked Complete when all individual Action Steps in that CAP are marked Complete:

 

 

How do I add Organization Actions to an existing CAP?

In the POA&M page, click the three vertical dot icon on the CAP you wish to delete, and select Modify Correction Actions:

In the pop up, click the drop down arrow to bring up a list of Non-compliant Organization Actions.  You can check the box next to an Organization Action to select it for inclusion in the CAP:

Alternatively,  you can start typing a control number in the Organization Actions field, and corresponding Non-compliant Organization Actions will be listed.  Check the box next to the listed Organization Action(s) to select it / them for inclusion:

Once you selected the Organization Action(s), click OK to add it / them to the CAP.

 

 

What are the Corrective Action Templates used for?

Corrective Action Templates are used to autopopulate a Corrective Action Plan (CAP) with general Action Steps an organization can typically take to remediate a deficient cybersecurity capability. The Templates also autopopulate a general risk description. 

There are about twenty-five (25) Corrective Action templates, each corresponding to a deficiency commonly encountered in small business cybersecurity programs.

 

 

How do I create a Gantt Chart using the POA&M module?

By ensuring all CAP Action Steps have a realistic Start Date and Estimated Completion Date, you can simply click the View Gantt Chart button:

And Totem™ will auto-populate a Gantt Chart, which can be used to manage the CAP sequencing and overall POA&M execution: