SlideShare una empresa de Scribd logo
1 de 12
Descargar para leer sin conexión
POA&M
<Information System Name>, <Date>




       Plan of Action and Milestones (POA&M)




                       <Vendor Name>
                 <Information System Name>
                         Version 1.0
                                    May 2, 2012

                       Company Sensitive and Proprietary
                           For Authorized Use Only
FedRAMP Plan of Action and Milestones Template



                                               Table of Contents
ABOUT THIS DOCUMENT................................................................................................................. 4
Who should use this document? ..................................................................................................... 4
Conventions used in this document ................................................................................................ 4
How to contact us............................................................................................................................ 5
1. INTRODUCTION....................................................................................................................... 6
1.1. Purpose............................................................................................................................... 6
1.2. Scope .................................................................................................................................. 6
1.3. System Description ............................................................................................................. 6
2.    Methodology .......................................................................................................................... 7
     Worksheet 1: System POA&M ................................................................................................... 7
APPENDIX A. ACRONYMS............................................................................................................. 11
APPENDIX B. REFERENCES ........................................................................................................... 12




Draft Version 0.1                                                Page 2 of 12                         Table of Contents
FedRAMP Plan of Action and Milestones Template



                    Document Revision History

       Date          Description                    Version     Author
       05/02/2012    Document Publication           1.0             FedRAMP Office




Draft Version 0.1                                Page 3 of 12       Document Revision History
FedRAMP Plan of Action and Milestones Template



ABOUTTHIS DOCUMENT
This document is released in template format. Once populated with content, this document will
include detailed information about service provider information system deficiencies and plan of
action and milestones for how the deficiencies will be mitigated.


    Who should use this document?
This document is intended to be used by service providers who are applying for an Authorization
to Operate (ATO) through the U.S. federal government FedRAMP program.

This template provides a sample format for preparing the Plan of Action and Milestones. The
CSP may modify the format as necessary to comply with its internal policies and Federal Risk
and Authorization Management Program (FedRAMP) requirements. Italicized text or comments
should be replaced with appropriate CSP/Customer/System information.

    Conventions used in this document
This document uses the following typographical conventions:

Italic
Italics are used for email addresses, and formal document names.

Italic blue in a box
   Italic blue text in a blue box indicates instructions to the individual filling out the template.

     Instruction: This is an instruction to the individual filling out of the template.

Bold
  Bold text indicates a parameter or an additional requirement.

Constant width
Constant width text is used for text that is representative of characters that would show up on a
computer screen.

<Brackets>
Text in brackets indicates a generic default name or word that should be replaced with a specific
name. Once the text has been replaced, the brackets should be removed.

Notes
Notes are found between parallel lines and include additional information that may be helpful to
the users of this template.


        Note: This is a note.



Draft Version 0.1                                Page 4 of 12
FedRAMP Plan of Action and Milestones Template




Sans Serif
Sans Serif text is used for tables, table captions, figure captions, and table of contents.

Sans Serif Gray
Sans Serif gray text is used for examples.

    How to contact us
If you have questions about something in this document, or how to fill it out, please write to:

        info@fedramp.gov

For more information about the FedRAMP project, please see the website at:

        http://www.fedramp.gov

            o




Draft Version 0.1                                Page 5 of 12
FedRAMP Plan of Action and Milestones Template



1. INTRODUCTION
The plan of action and milestones (POA&M) is one of three key documents in the security
authorization package anddescribes the specific tasks that are planned: (i) to correct any
weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to
address the residual vulnerabilities in the information system.

POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or
deficiencies noted during the security controlassessment.

1.1.    Purpose
The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks
in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the
findings and recommendations of thesecurity assessment report excluding any remediation
actions taken.

CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii)
the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the
identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation
approach to address the identifiedweaknesses or deficiencies in the security controls (e.g.,
prioritization of risk mitigation actions, allocation of riskmitigation resources).

The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion
either before or afterinformation system implementation; (ii) the resources required to
accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion
dates for the milestones.


1.2.    Scope
The scope of the POA&M includes all management, operational, and technical FedRAMP
security controls that are deemed less than effective (i.e., having unacceptable weaknesses or
deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to
the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or
remediation actions are taken to close any existing POA&M items)

1.3.    System Description
The <Information System Name or Acronym>system has been determined to have a security
categorization of <Moderate, or Low>.

 Instruction: Insert a brief high-level description of the system, business or purpose and
 system environment. Ensure this section is continuously updated with the latest description
 from the System Security Plan (SSP).




Draft Version 0.1                                Page 6 of 12
FedRAMP Plan of Action and Milestones Template



2. Methodology
POA&Ms must include all known security weaknesses withinthe cloud information system.
Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook,
which is comprised of five worksheets including the System POA&M worksheet, and four
Quarterly POA&M Update worksheets, one for each quarter of the fiscal year.

Worksheet 1: System POA&M
The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks
FISMA system performance measurements while the bottom portion tracks IT system
weaknesses.

The top portion of the POA&M tracks the measures in the table below.

        Measure                                                Details

                              Systems are categorized as Low, Moderate, or High based on a
 FIPS 199 Risk Impact Level   completed FIPS 199/800-60 evaluation.
                              Systems are identified as either Federal or Contractor.Contractor
                              systems are identified as any system that processes or handles GSA-
      Federal or Contractor   owned information on behalf of GSA that are housed at non-GSA
                    System    facilities including contractor, consultant, or other third party (includes
                              Federal agencies/departments) sites.




The bottom portion of the POA&M worksheet is the corrective action plan used to track IT
security weaknesses. This portion of the POA&M worksheet is based on OMBs format
requirements.

Column A – POAM ID. – A unique identifier must be assigned to each POA&M item.

Column B -- Weakness Description.Describe weaknesses identified during the assessment
process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data
must be provided to permit oversight and tracking, demonstrate awareness of the weakness,
and facilitate the creation of specific milestones to address the weakness. Where it is necessary
to provide more sensitive data, the POA&M should note the fact of its special sensitivity.

Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible
for resolving the weakness. A POC must be identified and documented for each weakness
reported.

Column D -- Resources Required. Identify any resources, obstacles and challenges needed to
resolve the weakness (e.g., lack of personnel or expertise, development of new system to
replace insecure legacy system, etc.).



Draft Version 0.1                                 Page 7 of 12
FedRAMP Plan of Action and Milestones Template


A completion date must be assigned to every weakness, to include the month, day, and year. If
a weakness is resolved before or after the originally scheduled completion date, enter the
actual completion date in the Status column. Also, if the time to correct the weakness extends
beyond the original scheduled date of completion, the reasons for the delay must be noted in
the Milestone Changes column together with a revised scheduled date of completion. The
Scheduled Completion Date column must not change once it is recorded. If there are changes
to scheduled completion date(s), note them in the Column F, Milestone Changes.

Column E -- Scheduled Completion Date.A completion date must be assigned to every
weakness, to include the month, day, and year. If a weakness is resolved before or after the
originally scheduled completion date, enter the actual completion date in the Status column.
Also, if the time to correct the weakness extends beyond the original scheduled date of
completion, the reasons for the delay must be noted in the Milestone Changes column together
with a revised scheduled date of completion. The Scheduled Completion Date column must not
change once it is recorded. If there are changes to scheduled completion date(s), note them in
the Column G, Milestone Changes.

Column F – Milestones with Completion Dates.A milestone will identify specific requirements
to correct an identified weakness. Each weakness must have a milestone documented that
identifies specific actions to correct the weakness with an associated completion date.
 Milestone with Completion Date entries shall not change once it is recorded.

Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent
with the SAR.

Column H --Status. A status of Completed or Ongoing must be assigned to each weakness.

        Completed — This status is assigned when all corrective actions have been applied to a
        weakness such that the weakness is successfully mitigated. The Date of Completion
        shall be recorded for a completed weakness.
        Ongoing — This status is assigned to both current weaknesses that have not exceeded
        the associated Scheduled Completion Date and delayed weaknesses.

Vendor provided Plan of Action & Milestone (POA&M) must comply with the following:
        Use the POA&M template embedded in this document to track and manage POA&Ms.
        If a finding in the Security Assessment Report (SAR) exists, the finding must be
        represented as an item on the POA&M.
        All findings must map back to a finding in the SAR
Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but
if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non-
Conforming Controls need to be revaluated as mitigation techniques may surface that did not
previously exist at the time of the decision or countermeasure costs may decrease affecting the
original Non-Conforming Controls.


Draft Version 0.1                                Page 8 of 12
FedRAMP Plan of Action and Milestones Template


•        False positives must be clearly identified within the SAR, along with supporting evidence
(e.g., clean scan report) do not have to be identified in the POA&M.
•      Each line item on the POA&M must have a unique identifier. This unique identifier
should pair with a respective SAR finding.
•      All high and critical risk findings must be remediated prior to receiving a Provisional
Authorization.
•      Moderate findings shall have a mitigation date within 90 days of Provisional
Authorization date.




Draft Version 0.1                                Page 9 of 12
FedRAMP Plan of Action and Milestones Template


Embedded POA&M Spreadsheet (Click to open):




FedRAMP_POAM_Te
 mplate 043012.xlsx




Draft Version 0.1                            Page 10 of 12
FedRAMP Plan of Action and Milestones Template



      APPENDIX A. ACRONYMS
[NOTE: Update the acronym list based on the acronyms used in this document]
AC                        Authentication Category
AP                        Assurance Profile
API                       Application Programming Interface
ATO                       Authorization to Operate
C&A                       Certification & Accreditation
COTS                      Commercial Off the Shelf
AO                        Authorizing Official
FedRAMP                   Federal Risk and Authorization Management Program
FIPS PUB                  Federal Information Processing Standard Publication
FISMA                     Federal Information Security Management Act
GSS                       General Support System
IaaS                      Infrastructure as a Service (Model)
IATO                      Interim Authorization to Operate
ID                        Identification
IT                        Information Technology
LAN                       Local Area Network
NIST                      National Institute of Standards and Technology
OMB                       Office of Management and Budget
PIA                       Privacy Impact Assessment
POA&M                     Plan of Action and Milestones
POC                       Point of Contact
RA                        Risk Assessment
Rev.                      Revision
SA                        Security Assessment
SAR                       Security Assessment Report
SDLC                      System Development Life Cycle
SP                        Special Publication
SSP                       System Security Plan
VLAN                      Virtual Local Area Network




Draft Version 0.1                               Page 11 of 12
FedRAMP Plan of Action and Milestones Template



APPENDIX B. REFERENCES
[NOTE: Update references as needed to reflect current guidance]
Laws and Regulations:
      Federal Information Security Management Act of 2002, Title III – Information Security,
      P.L. 107-347.
      Consolidated Appropriations Act of 2005, Section 522.
      USA PATRIOT Act (P.L. 107-56), October 2001.
OMB Circulars:
    OMB Circular A-130, Management of Federal Information Resources, November 2000.
    OMB Memorandum M-05-24, Implementation of Homeland Security Presidential
    Directive (HSPD) 12—Policy for a Common Identification Standard for Federal
    Employees and Contractors, August 2005.
    OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006.
FIPS Publications:
      FIPS PUB 199, Standards for Security Categorization of Federal Information and
      Information Systems
      FIPS PUB 200, Minimum Security Requirements for Federal Information and
      Information Systems
      FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and
      Contractors
NIST Publications:
      NIST 800-18, Guide for Developing Security Plans for Information Technology Systems
      NIST 800-26, Security Self-Assessment Guide for Information Technology Systems
      NIST 800-30, Risk Management Guide for Information Technology Systems
      NIST 800-34, Contingency Planning Guide for Information Technology Systems
      NIST 800-37, Guide for Applying the Risk Management Framework to Federal
      Information Systems: A Security Life Cycle Approach
      NIST 800-47, Security Guide for Interconnecting Information Technology Systems
      NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems
      and Organizations
      NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information
      System and Organizations
      NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems
      to Security
      NIST 800-63, Electronic Authentication Guideline: Recommendations of the National
      Institute of Standards and Technology
      NIST 800-64, Security Considerations in the Information System Development Life
      Cycle




Draft Version 0.1                            Page 12 of 12

Más contenido relacionado

La actualidad más candente

Fault tree analysis
Fault tree analysisFault tree analysis
Fault tree analysisAkku Singh
 
business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929Andy Willams
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planningalanlund
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
10 Keys to CMMS Implementation Success
10 Keys to CMMS Implementation Success10 Keys to CMMS Implementation Success
10 Keys to CMMS Implementation SuccesseMaint Enterprises
 
Operational risk & business continuity management
Operational risk & business continuity managementOperational risk & business continuity management
Operational risk & business continuity managementUjjwal 'Shanu'
 
SOX Section 404 A Guide for Management
SOX Section 404  A Guide for ManagementSOX Section 404  A Guide for Management
SOX Section 404 A Guide for ManagementMahmoud Elbagoury
 
SAP HANA SPS08 Security
SAP HANA SPS08 SecuritySAP HANA SPS08 Security
SAP HANA SPS08 Security SAP Technology
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report   sample v10.0SOC-2 Compliance Status Report   sample v10.0
SOC-2 Compliance Status Report sample v10.0Mark S. Mahre
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
MBSE and Model-Based Testing with Capella
MBSE and Model-Based Testing with CapellaMBSE and Model-Based Testing with Capella
MBSE and Model-Based Testing with CapellaObeo
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity PlanningBharath Rao
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery PlanningJohn Wilson
 
Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Global Risk Forum GRFDavos
 
NIST Cyber Security Framework V1.1 - Infogram Poster
NIST Cyber Security Framework V1.1 - Infogram PosterNIST Cyber Security Framework V1.1 - Infogram Poster
NIST Cyber Security Framework V1.1 - Infogram PosterMark Stafford
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework ModelTownofAddison
 

La actualidad más candente (20)

Fault tree analysis
Fault tree analysisFault tree analysis
Fault tree analysis
 
business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
10 Keys to CMMS Implementation Success
10 Keys to CMMS Implementation Success10 Keys to CMMS Implementation Success
10 Keys to CMMS Implementation Success
 
Operational risk & business continuity management
Operational risk & business continuity managementOperational risk & business continuity management
Operational risk & business continuity management
 
SOX Section 404 A Guide for Management
SOX Section 404  A Guide for ManagementSOX Section 404  A Guide for Management
SOX Section 404 A Guide for Management
 
SAP HANA SPS08 Security
SAP HANA SPS08 SecuritySAP HANA SPS08 Security
SAP HANA SPS08 Security
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report   sample v10.0SOC-2 Compliance Status Report   sample v10.0
SOC-2 Compliance Status Report sample v10.0
 
Awareness iso 22301 danang suryo
Awareness iso 22301 danang suryoAwareness iso 22301 danang suryo
Awareness iso 22301 danang suryo
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
MBSE and Model-Based Testing with Capella
MBSE and Model-Based Testing with CapellaMBSE and Model-Based Testing with Capella
MBSE and Model-Based Testing with Capella
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS Implementation
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
 
Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
 
NIST Cyber Security Framework V1.1 - Infogram Poster
NIST Cyber Security Framework V1.1 - Infogram PosterNIST Cyber Security Framework V1.1 - Infogram Poster
NIST Cyber Security Framework V1.1 - Infogram Poster
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework Model
 

Similar a Plan of Action and Milestones (POA&M)

Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Jay Steidle
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxmary772
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateGovCloud Network
 
Documentation on bigmarket copy
Documentation on bigmarket   copyDocumentation on bigmarket   copy
Documentation on bigmarket copyswamypotharaveni
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010Steve Turner
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Thinksoft Global
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdfRaoShahid10
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?Callidus Software
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfSamehMostafa33
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsLindaWatson19
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Michael Wigley
 
Mobile store management
Mobile store management Mobile store management
Mobile store management Rupendra Verma
 
CRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.doc
CRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.docCRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.doc
CRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.docKrisStone4
 

Similar a Plan of Action and Milestones (POA&M) (20)

Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15Gartner_Critical Capabilities for SIEM 9.21.15
Gartner_Critical Capabilities for SIEM 9.21.15
 
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docxCMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
CMGT410 v19Business Requirements TemplateCMGT410 v19Page 2.docx
 
Unit iii tqm
Unit iii tqmUnit iii tqm
Unit iii tqm
 
Control Implementation Summary (CIS) Template
Control Implementation Summary (CIS) TemplateControl Implementation Summary (CIS) Template
Control Implementation Summary (CIS) Template
 
Documentation on bigmarket copy
Documentation on bigmarket   copyDocumentation on bigmarket   copy
Documentation on bigmarket copy
 
Mrd template
Mrd templateMrd template
Mrd template
 
0.3 aim phases_and_documentations
0.3 aim phases_and_documentations0.3 aim phases_and_documentations
0.3 aim phases_and_documentations
 
Pmo slides jun2010
Pmo slides jun2010Pmo slides jun2010
Pmo slides jun2010
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)
 
Lecture 6 & 7.pdf
Lecture 6 & 7.pdfLecture 6 & 7.pdf
Lecture 6 & 7.pdf
 
On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?On-Demand: Is It Right For Your Company?
On-Demand: Is It Right For Your Company?
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdf
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy Applications
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Blue book
Blue bookBlue book
Blue book
 
Is 4 th
Is 4 thIs 4 th
Is 4 th
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of Behavior
 
Basic-Project-Estimation-1999
Basic-Project-Estimation-1999Basic-Project-Estimation-1999
Basic-Project-Estimation-1999
 
Mobile store management
Mobile store management Mobile store management
Mobile store management
 
CRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.doc
CRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.docCRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.doc
CRM Territory Management_C06_CRM702_BB_ConfigGuide_EN_XX.doc
 

Más de GovCloud Network

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeGovCloud Network
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessGovCloud Network
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture   Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture GovCloud Network
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonGovCloud Network
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition   Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition   Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher PageGovCloud Network
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanGovCloud Network
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle  (BCL)  Guide (Draft)DoD Business Capability Lifecycle  (BCL)  Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)GovCloud Network
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS  - Kevin L. JacksonIntrusion Detection on Public IaaS  - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonGovCloud Network
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentGovCloud Network
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013GovCloud Network
 
Tech gate kevin l jackson - 09-21-2013
Tech gate   kevin l jackson - 09-21-2013Tech gate   kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013GovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...GovCloud Network
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)GovCloud Network
 

Más de GovCloud Network (20)

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmark
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for me
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT Change
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate Success
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture   Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition   Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition   Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John Brennan
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle  (BCL)  Guide (Draft)DoD Business Capability Lifecycle  (BCL)  Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview Presentation
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS  - Kevin L. JacksonIntrusion Detection on Public IaaS  - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013
 
Tech gate kevin l jackson - 09-21-2013
Tech gate   kevin l jackson - 09-21-2013Tech gate   kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 

Último

Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 

Último (20)

Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 

Plan of Action and Milestones (POA&M)

  • 1. POA&M <Information System Name>, <Date> Plan of Action and Milestones (POA&M) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
  • 2. FedRAMP Plan of Action and Milestones Template Table of Contents ABOUT THIS DOCUMENT................................................................................................................. 4 Who should use this document? ..................................................................................................... 4 Conventions used in this document ................................................................................................ 4 How to contact us............................................................................................................................ 5 1. INTRODUCTION....................................................................................................................... 6 1.1. Purpose............................................................................................................................... 6 1.2. Scope .................................................................................................................................. 6 1.3. System Description ............................................................................................................. 6 2. Methodology .......................................................................................................................... 7 Worksheet 1: System POA&M ................................................................................................... 7 APPENDIX A. ACRONYMS............................................................................................................. 11 APPENDIX B. REFERENCES ........................................................................................................... 12 Draft Version 0.1 Page 2 of 12 Table of Contents
  • 3. FedRAMP Plan of Action and Milestones Template Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Draft Version 0.1 Page 3 of 12 Document Revision History
  • 4. FedRAMP Plan of Action and Milestones Template ABOUTTHIS DOCUMENT This document is released in template format. Once populated with content, this document will include detailed information about service provider information system deficiencies and plan of action and milestones for how the deficiencies will be mitigated. Who should use this document? This document is intended to be used by service providers who are applying for an Authorization to Operate (ATO) through the U.S. federal government FedRAMP program. This template provides a sample format for preparing the Plan of Action and Milestones. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements. Italicized text or comments should be replaced with appropriate CSP/Customer/System information. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Draft Version 0.1 Page 4 of 12
  • 5. FedRAMP Plan of Action and Milestones Template Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. How to contact us If you have questions about something in this document, or how to fill it out, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov o Draft Version 0.1 Page 5 of 12
  • 6. FedRAMP Plan of Action and Milestones Template 1. INTRODUCTION The plan of action and milestones (POA&M) is one of three key documents in the security authorization package anddescribes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls notedduring the assessment; and (ii) to address the residual vulnerabilities in the information system. POA&Ms are used by theauthorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security controlassessment. 1.1. Purpose The purpose of POA&M is to facilitate a disciplined andstructured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities.POA&Ms are based on the findings and recommendations of thesecurity assessment report excluding any remediation actions taken. CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specificweaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses ordeficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identifiedweaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of riskmitigation resources). The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or afterinformation system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meetingthe tasks; and (iv) the scheduled completion dates for the milestones. 1.2. Scope The scope of the POA&M includes all management, operational, and technical FedRAMP security controls that are deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the control implementation). CSPs are required to submit updated POA&Ms to the FedRAMP PMO at least quarterly or as needed (i.e., when new weaknesses are identified or remediation actions are taken to close any existing POA&M items) 1.3. System Description The <Information System Name or Acronym>system has been determined to have a security categorization of <Moderate, or Low>. Instruction: Insert a brief high-level description of the system, business or purpose and system environment. Ensure this section is continuously updated with the latest description from the System Security Plan (SSP). Draft Version 0.1 Page 6 of 12
  • 7. FedRAMP Plan of Action and Milestones Template 2. Methodology POA&Ms must include all known security weaknesses withinthe cloud information system. Weakness information is gathered and reported using embeddedFedRAMP POA&M workbook, which is comprised of five worksheets including the System POA&M worksheet, and four Quarterly POA&M Update worksheets, one for each quarter of the fiscal year. Worksheet 1: System POA&M The System POA&M worksheet consists of two sections. The top portion of the POA&M tracks FISMA system performance measurements while the bottom portion tracks IT system weaknesses. The top portion of the POA&M tracks the measures in the table below. Measure Details Systems are categorized as Low, Moderate, or High based on a FIPS 199 Risk Impact Level completed FIPS 199/800-60 evaluation. Systems are identified as either Federal or Contractor.Contractor systems are identified as any system that processes or handles GSA- Federal or Contractor owned information on behalf of GSA that are housed at non-GSA System facilities including contractor, consultant, or other third party (includes Federal agencies/departments) sites. The bottom portion of the POA&M worksheet is the corrective action plan used to track IT security weaknesses. This portion of the POA&M worksheet is based on OMBs format requirements. Column A – POAM ID. – A unique identifier must be assigned to each POA&M item. Column B -- Weakness Description.Describe weaknesses identified during the assessment process. Sensitive descriptions of specific weaknesses are not necessary, but sufficient data must be provided to permit oversight and tracking, demonstrate awareness of the weakness, and facilitate the creation of specific milestones to address the weakness. Where it is necessary to provide more sensitive data, the POA&M should note the fact of its special sensitivity. Column C – Point of Contact (POC).Identify the person/role that FedRAMP can hold responsible for resolving the weakness. A POC must be identified and documented for each weakness reported. Column D -- Resources Required. Identify any resources, obstacles and challenges needed to resolve the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Draft Version 0.1 Page 7 of 12
  • 8. FedRAMP Plan of Action and Milestones Template A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column F, Milestone Changes. Column E -- Scheduled Completion Date.A completion date must be assigned to every weakness, to include the month, day, and year. If a weakness is resolved before or after the originally scheduled completion date, enter the actual completion date in the Status column. Also, if the time to correct the weakness extends beyond the original scheduled date of completion, the reasons for the delay must be noted in the Milestone Changes column together with a revised scheduled date of completion. The Scheduled Completion Date column must not change once it is recorded. If there are changes to scheduled completion date(s), note them in the Column G, Milestone Changes. Column F – Milestones with Completion Dates.A milestone will identify specific requirements to correct an identified weakness. Each weakness must have a milestone documented that identifies specific actions to correct the weakness with an associated completion date. Milestone with Completion Date entries shall not change once it is recorded. Column G–Source of Discovery.Identify sources for all weaknesses. Ensure this is consistent with the SAR. Column H --Status. A status of Completed or Ongoing must be assigned to each weakness. Completed — This status is assigned when all corrective actions have been applied to a weakness such that the weakness is successfully mitigated. The Date of Completion shall be recorded for a completed weakness. Ongoing — This status is assigned to both current weaknesses that have not exceeded the associated Scheduled Completion Date and delayed weaknesses. Vendor provided Plan of Action & Milestone (POA&M) must comply with the following: Use the POA&M template embedded in this document to track and manage POA&Ms. If a finding in the Security Assessment Report (SAR) exists, the finding must be represented as an item on the POA&M. All findings must map back to a finding in the SAR Non-Conforming Controls listed in the SAR, may be recommended by the vendor/assessor, but if accepted by the JAB, need to be added in the POA&M. As technology evolves, Non- Conforming Controls need to be revaluated as mitigation techniques may surface that did not previously exist at the time of the decision or countermeasure costs may decrease affecting the original Non-Conforming Controls. Draft Version 0.1 Page 8 of 12
  • 9. FedRAMP Plan of Action and Milestones Template • False positives must be clearly identified within the SAR, along with supporting evidence (e.g., clean scan report) do not have to be identified in the POA&M. • Each line item on the POA&M must have a unique identifier. This unique identifier should pair with a respective SAR finding. • All high and critical risk findings must be remediated prior to receiving a Provisional Authorization. • Moderate findings shall have a mitigation date within 90 days of Provisional Authorization date. Draft Version 0.1 Page 9 of 12
  • 10. FedRAMP Plan of Action and Milestones Template Embedded POA&M Spreadsheet (Click to open): FedRAMP_POAM_Te mplate 043012.xlsx Draft Version 0.1 Page 10 of 12
  • 11. FedRAMP Plan of Action and Milestones Template APPENDIX A. ACRONYMS [NOTE: Update the acronym list based on the acronyms used in this document] AC Authentication Category AP Assurance Profile API Application Programming Interface ATO Authorization to Operate C&A Certification & Accreditation COTS Commercial Off the Shelf AO Authorizing Official FedRAMP Federal Risk and Authorization Management Program FIPS PUB Federal Information Processing Standard Publication FISMA Federal Information Security Management Act GSS General Support System IaaS Infrastructure as a Service (Model) IATO Interim Authorization to Operate ID Identification IT Information Technology LAN Local Area Network NIST National Institute of Standards and Technology OMB Office of Management and Budget PIA Privacy Impact Assessment POA&M Plan of Action and Milestones POC Point of Contact RA Risk Assessment Rev. Revision SA Security Assessment SAR Security Assessment Report SDLC System Development Life Cycle SP Special Publication SSP System Security Plan VLAN Virtual Local Area Network Draft Version 0.1 Page 11 of 12
  • 12. FedRAMP Plan of Action and Milestones Template APPENDIX B. REFERENCES [NOTE: Update references as needed to reflect current guidance] Laws and Regulations: Federal Information Security Management Act of 2002, Title III – Information Security, P.L. 107-347. Consolidated Appropriations Act of 2005, Section 522. USA PATRIOT Act (P.L. 107-56), October 2001. OMB Circulars: OMB Circular A-130, Management of Federal Information Resources, November 2000. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June, 2006. FIPS Publications: FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Publications: NIST 800-18, Guide for Developing Security Plans for Information Technology Systems NIST 800-26, Security Self-Assessment Guide for Information Technology Systems NIST 800-30, Risk Management Guide for Information Technology Systems NIST 800-34, Contingency Planning Guide for Information Technology Systems NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST 800-47, Security Guide for Interconnecting Information Technology Systems NIST 800-53 Rev3, Recommended Security Controls for Federal Information Systems and Organizations NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal Information System and Organizations NIST 800-60 Rev1, Guide for Mapping Types of Information and Information Systems to Security NIST 800-63, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology NIST 800-64, Security Considerations in the Information System Development Life Cycle Draft Version 0.1 Page 12 of 12