How to fill out your POA&M

Your POA&M is your Plan of Action and Milestone document. Here are some key strategies and best practices that you need to observe when you are filling out your POA&M document. Through the course of your audit and your security analysis or your compliance audit, information system audit or any other IT-based audits you are going to have certain controls that either is not complete or have not been done yet. You need to plan on fixing these controls and fulfilling them, you do that by creating this document and filling out the form.

The first thing you need to do is identify a POA&M ID numbering system. You want to keep track of all your POA&M objectives by identifying them by a unique number or identifier. You want to identify what Control is associated with it so that you know what your goal is and what control you are addressing. You want to describe the weakness or issue and also note how you discovered the weakness, what was the source that notified you about the issue. What asset is affected by this weakness, exploit or vulnerability, you should identify it by its unique identifier, which should also be in your SSP documentation. You need to identify the person responsible for fixing the weakness, and who might also be required for fixing it, as it may be a different person. You need to identify when you detected the issue when you plan on fixing it and also have an overall status indicator of all your completion dates or projected completion dates. You can also track other various items in your POA&M that revolve around dates, approvers, comments, and documentation that might be relevant to the issue.

Some POA&M’s include risk ratings and dependencies that might exist that addressing the control might include. You can keep the POA&M shortened to relevant information that you have available. A Managed Security Service Provider can assist with this project and ensure all your bases are covered.

Single Point of Contact was founded in 1999 and is a Managed Security Service Provider in the San Francisco Bay Area. We tailor our IT security services to take into consideration the every day challenges businesses face. Cybersecurity issues often stem from within an organization, so we take proactive measures to ensure everyone from top to bottom understands the ramifications of a cyberattack. Don’t hesitate to contact us to see how we can help better protect your company.