In my last blog post, I explained the importance of continuous monitoring in the FedRAMP process to assure that security controls are implemented correctly and operate as intended. Today I’ll cover the importance of having a living action plan to ensure that any system weaknesses or deficiencies are being addressed.
As per guidance from the Office of Management and Budget (OMB), all known weaknesses must be identified and tracked in a Plan of Action and Milestones (POA&M). The POA&M is a remediation action plan that helps an agency or organization to identify and assess information system security and privacy weaknesses, set priorities for addressing them, and monitor progress toward mitigating them.
As part of the initial FedRAMP authorization process and continuous monitoring effort, cloud service providers (CSPs) must develop and maintain POA&Ms for every weakness discovered during the initial assessment, annual security control assessment, and throughout the continuous monitoring process. FedRAMP uses the POA&M to monitor CSP progress in correcting those weaknesses or deficiencies.
The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s risk mitigation strategy. The POA&M identifies:
- The tasks the CSP plans to accomplish with a recommendation for completion;
- Any milestones the CSP has set in place for meeting the tasks; and
- The scheduled completion dates the CSP has set for the milestones.
The milestones in your POA&M should be “SMART”:
- Specific – target a specific area of improvement,
- Measurable – quantify an indicator of progress,
- Assignable – specify who would do it,
- Realistic – state what results can be achieved,
- Time-related – specify when the results can be achieved. As per FedRAMP guidance, a CSP must remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low within 180 days.
Follow this guidance when developing and managing your FedRAMP POA&M document:
- Each vulnerability must have a unique identifier. This identifier must pair with a respective Security Assessment Report (SAR) finding and/or any continuous monitoring vulnerability.
- When submitting the monthly POA&M spreadsheet, the findings on the spreadsheet must be reconciled each month with your authenticated scan results to ensure POA&M accuracy. This means that any items that have closed throughout the month should be marked as such and appropriate artifacts should be provided to validate closure.
- A false positive should stay on the “Open” tab until the deviation request for that weakness is approved.
- An operationally required vulnerability remains on the “Open” tab indefinitely or until resolved.
- A vendor dependency also remains on the open tab indefinitely and is only closed once the CSP resolves the issue by applying a vendor approved fix or upgrade.
- All high and critical risk findings must be remediated prior to receiving a JAB Provisional Authorization.
- High and critical risk findings identified through continuous monitoring activities must be mitigated within 30 days after identification.
- Moderate findings must be mitigated within 90 days of authorization date or within 90 days of identification as part of continuous monitoring activities.
Creating and managing the POA&M is a daunting part of the FedRAMP process. The Xacta 360 FedRAMP application does most of the heavy lifting for you by automatically generating and updating the POA&M as part of producing the documents needed for the FedRAMP security authorization package. It’s another way that Xacta provides you with the evidence needed to show that FedRAMP baseline security controls are safeguarding the system as originally envisioned.
FedRAMP Tip Sheet: 9 Quick Insights to Help You Get Started with Cloud Offerings for the Federal Market
Looking to break into the federal market for cloud-based software? Get started with the new FedRAMP Tip Sheet from Telos Corporation. It’s the advice you need to prepare for the federal government’s rigorous framework for cloud security.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.