What is a POA&M?

A Plan of Action and Milestones (POA&M) is a corrective action plan that tracks system weakness and allows System Owners and ISSOs to create a plan to resolve the identified weaknesses over time. A POA&M provides details about the personnel, technology, and funding required to accomplish the elements of the plan, milestones for correcting the weaknesses, and scheduled completion dates for the milestones. 

POA&M process overview

The POA&M process begins when a weakness is identified in a CMS FISMA system. Working together, the System/Business Owner and the Authorizing Official (AO) are responsible for mitigating the risk posed by the weakness, with support from the Information System Security Officer (ISSO) and Cyber Risk Advisor (CRA). The steps to the POA&M process are outlined below, and will be described in greater detail throughout the remainder of this guide:

• Identify weaknesses
• Develop a Corrective Action Plan (CAP)
• Determine resource and funding availability
• Assign a completion date
• Execute the Corrective Action Plan (CAP)
• Verify weakness completion
• Accept risk when applicable

Identifying weaknesses

The term “weakness” represents any information security or privacy vulnerability that could be exploited as a result of a specific control deficiency. Weaknesses can compromise a system’s confidentiality, integrity, or availability. All weaknesses that represent risk to the security or privacy of a system must be corrected and the required mitigation efforts captured in a POA&M. For the purpose of this document, the term “weakness” as defined in NIST SP 800-53, rev. 5 will be synonymous with the terms finding and vulnerability. These terms are defined below:

Finding – During an assessment or audit, the security and privacy controls of a system are tested, or exercised. A system either satisfies the requirements or a control or does not satisfy it.  Findings are the result of the assessment or audit. Findings that do not satisfy a control must be addressed with a POA&M. 

Vulnerability – A vulnerability is a weakness in a system, a system’s security procedures, its internal controls, or its implementation that could be exploited or triggered by a threat source. 

Finding weaknesses

Weaknesses may be found during an internal or external audit, review, or through Continuous Diagnostics and Mitigation (CDM) efforts. There are a number of specific sources that help system teams identify weaknesses: 

• HHS OIG Audits 
• Government Accountability Office (GAO) Audits 
• Chief Financial Officer (CFO) Reviews 
• OMB A-123 Internal Control Reviews 
• Annual Assessments
• FISMA Audits 
• Cybersecurity and Risk Assessment Program (CSRAP) or Security Control Assessments (SCA) 
• Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) Section 912 Audits 
• Internal Revenue Service (IRS) Safeguard Reviews 
• Department of Homeland Security (DHS) Risk Vulnerability Assessments (RVA) 
• DHS Cyber Hygiene 
• Penetration Testing 
• Vulnerability Scanning

During these assessments, reviews, and audits, weaknesses can be found either proactively or reactively. 

Proactive - Proactive weakness identification occurs during regular system reviews conducted by CMS. 

Reactive - Reactive weakness determination indicates that the weakness was identified during an audit or external review, like a penetration test. 

Weaknesses are always documented by the source that identified them, and it’s important to indicate the identification source as you create your POA&M. 

Weakness severity levels 

There are three severity levels for all weaknesses discovered during assessments, audits, and tests. The risk the weakness poses to the agency’s overall security and privacy posture determines a weakness’ severity level . There are three levels of severity as defined by OMB: significant deficiency, reportable condition, and weakness.

The weakness severity level can be obtained from the source or the audit report. Most findings will generally be categorized as a “weakness”. In the event that a weakness is designated as a “significant deficiency”, then contact the CISO mailbox for further guidance.

Weakness risk level

NIST SP 800-30 contains the definitions and the practical guidance necessary for assessing and mitigating identified risks to IT systems. Risk level is dependent on multiple factors, such as Federal Information Processing Standard (FIPS) 199 category, operating environment, compensating controls, nature of the vulnerability, and impact if a system is compromised.

Risk can be evaluated either qualitatively or quantitatively and is typically expressed in its simplified form as:

RISK = THREAT x IMPACT x LIKELIHOOD

The result of the analysis of the risk(s) from following the NIST SP 800-30 guide will recommend the overall risk level assigned to FISMA system of record.

Root Cause Analysis (RCA) 

All weaknesses must be examined to determine their root cause prior to documentation in the

POA&M. Root Cause Analysis (RCA) is an important and effective methodology used to correct information security or privacy weaknesses by eliminating the underlying cause. Various factors are reviewed to determine if they are the underlying cause of the weakness. Proper evaluation ensures the cause, not the symptom, is treated and prevents resources from being expended unnecessarily on addressing the same weakness.

Prioritizing weaknesses 

CMS takes a risk management approach to ensure that critical and high-impact weaknesses 

take precedence over lower security weaknesses. The following chart will help CMS System/Business Owners and ISSOs prioritize weaknesses on an ongoing basis to ensure that high-priority weaknesses receive the funding and the resources necessary to remediate or mitigate the most significant risks.

Regardless of how the weakness is found and how severe it is, it’s critical that system teams work together to create a Corrective Action Plan (CAP) to address it.

Develop a Corrective Action Plan (CAP)

After weaknesses have been identified and the root cause has been determined, a Corrective Action Plan (CAP) must be developed. The CAP identifies: 

• The specific tasks, or “milestones”, that need to be accomplished to reduce or eliminate weakness 
• The resources required to accomplish the plan
• A timeline for correcting the weakness including a completion date

The milestones in the CAP must provide specific, action-oriented descriptions of the tasks/steps that the stakeholder will take to mitigate the weakness. When creating your milestones, be sure that they are: 

Specific – target a specific area for improvement 

Measurable – quantify or at least suggest an indicator of progress

Assignable – specify who will do it

Realistic – state what results can realistically be achieved, given available resources

Time-related – specify when the result(s) can be achieved. 

The number of milestones written per weakness must directly correspond to the number of steps or corrective actions necessary to fully address and resolve the weakness. Each weakness must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the weakness. The chart below provides samples of compliant and non-compliant milestones that system teams can use when writing their CAP.

Examples of appropriate milestones 

The CAP should be a collaborative effort with stakeholders including the CISO, System/Business Owners, System Developers and Maintainers, ISSOs, and others as needed. These stakeholders ensure that the CAP is created, executed, monitored, and worked to closure or risk-based acceptance.

OMB provides a standard POA&M format which is utilized at CMS. This structure improves the stakeholders’ ability to easily locate information and organize details for analysis. The CAP format includes a location for the identified program weakness, any associated milestones, and the necessary resources required. 

Once the CAP is documented, the plan must be entered into CFACTS in the form of a series of milestone records. The status of the POA&M will automatically be moved from “draft” to “ongoing” 30 days after the weakness creation date. Once a milestone has been accepted/approved and closed, the record must be retained for one year. 

Determine resource and funding availability

Making funding decisions is often a collaborative exercise that involves multiple system personnel and stakeholders. Examples of questions to ask to determine if your team has the resources to appropriately respond to a weakness are: 

• Is one team or person enough or will the participation of a larger team be needed? 
• Can the task be accomplished within a week or will it take several months? 
• How serious is the weakness? 
• What is this weakness’ risk level? 
• How complex is the CAP? 
• Do we need to purchase equipment?
• Can the weakness be addressed with existing funding or will we require new allocation from an existing budget source? 
• Will my addressing this milestone require changes to existing policy or code? 

The System/Business Owner, ISSOs, and other stakeholders must ensure that adequate resources are allocated to mitigate or remediate weaknesses. They must also work together to determine the funding stream required to address the weakness, and any full-time equivalent (FTE) resources required to remediate or mitigate each weakness on the POA&M. The resources required for weakness remediation must fall into one of the following three categories:

1. Using current resources allocated for the security and/or management of a program or system to complete remediation activities
2. Reallocating existing funds that are appropriated and available for the remediation, or redirecting existing personnel
3. Requesting additional funding or personnel

Duplicate or similar weaknesses shall be documented in one POA&M, existing or new, to avoid inconsistencies. If a related POA&M already exists, the additional weakness shall be noted in the comment field.

Assign a completion date

System/Business Owners, ISSOs, and other stakeholders must determine the scheduled completion date for each weakness using the criteria established by the remediation and mitigation timeline, the risk level, and the severity level. The milestone(s) completion date must not exceed the scheduled completion date assigned to the weakness. 

It is also a good practice to first determine the milestones with completion dates, as this will help determine a more accurate overall scheduled completion date for the weakness. The weakness schedule completion date is a calculated date. It is determined by the identified date and the risk level. The scheduled completion date established at the creation of the weakness must not be modified after the weakness is reported to OMB. POA&Ms become reportable once the status changes from “Draft” to “Ongoing” in CFACTS. 

If a weakness is not remediated within the scheduled completion date, a new estimated completion date must be determined and documented in the Changes to Milestones and Comment fields in the POA&M in CFACTS.

NOTE: In use cases where a responsive and timely POA&M cannot be developed, the ISSO can choose to consider the Risk Based Decision (RBD) process to request the Authorizing Official (AO) to consider a risk acceptance until such time the vulnerability can be remediated.

Execute the Corrective Action Plan (CAP)

A designated Point of Contact (POC), responsible for ensuring proper execution of the CAP, must be identified for each weakness and its milestones. Individual(s) responsible for the execution of the CAP vary widely depending on the organization, system, milestones, and weakness.

This POC resource will be key to identifying an “owner” of the milestone and ensuring the milestone is worked to the eventual remediation of the weakness or acceptable mitigation of the weakness. Once the planning of the necessary corrective action is complete and adequate resources have been made available, remediation or mitigation activities will proceed in accordance with the plan.

If the completion of a milestone extends past its original estimated completion date, an update to the milestone and the completion date of the milestone must be captured in the “Changes to Milestone” field of CFACTS. If the scheduled completion date has passed before the weakness is remediated or mitigated, the weakness must default to “Delayed” status and a justification with a new estimated completion date must be documented in the “Comment” field and the “Changes to Milestone” field of the relevant weakness in CFACTS.

Verify weakness completion

CMS requires that all information in the POA&M be updated at least quarterly, ensuring accuracy for efficient tracking and reporting. As part of the review process, the ISSO will:

• Validate that the weakness is properly identified and prioritized
• Ensure that appropriate resources have been made available to resolve the weakness
• Ensure that the schedule for resolving the weakness is both appropriate and achievable

Accept risk when applicable

A POA&M is a plan to resolve unacceptable risks. In rare cases, the Business Owner can present a case for accepting the risk to the AO or CIO, who may make the decision to accept the risk at their discretion. This is part of the Risk Based Decision (RBD) process. After approval, RBDs shall be reviewed at least annually to ensure the risk remains acceptable and updated as events occur and information changes. RBDs are managed in CFACTS under the "RBD" tab.

Closing a POA&M

POA&Ms designated as Low and Moderate are closed by the ISSO and spot audited by a CRA. 

POA&Ms designed as Critical and High are closed by the CRA. 

POA&Ms generated from audits should be reviewed by the auditor prior to closure. 

POA&Ms resulting from a Penetration Test (PenTest) are closed by the PenTest team after the re-test has been performed.

Reports

Reporting is a critical component of POA&M management, and CMS reports its remediation efforts on a monthly basis. The information in the POA&M must be maintained continuously to communicate overall progress. CMS must submit POA&M updates at least once a month (by the 3rd business day of each month) to HHS to demonstrate the status of POA&M mitigation or remediation activities.

CMS must submit the following information in accordance with the Department POA&M reporting requirements:

• All POA&Ms associated with a program, system and/or component that are within an authorization boundary. POA&Ms must be tied to the individual system and/or component and not the authorization boundary.
• An explanation associated with each delayed POA&M and a revised estimated completion date.
• Completed POA&Ms for up to one year from the date of completion.

Weakness remediation and mitigation timeline

After positive identification of scan findings or approval of security assessment and/or audit report, all findings/weaknesses shall be documented in a POA&M, reported to HHS, and remediated/mitigated within the following remediation timelines. 

• Critical within 15 days
•  High within 30 days
• Moderate within 90 days
• Low within 365 days

Business Owners, ISSOs, and/or other POA&M stakeholders must work together to determine the scheduled completion date for each POA&M within the specified remediation timelines. These timelines are based on the date the weakness is identified, not the date the POA&M is created. Stakeholders should complete and submit their CAAT templates in a timely manner to allow for the maximum time to complete the remediation/mitigation. 

If it is determined that additional time is needed to remediate or mitigate a weakness, the justification with a modified estimated completion date shall be documented in the POA&M in the Changes to Milestones and Comment fields in CFACTS. If weaknesses are not remediated within the scheduled completion date, the status shall change to “Delayed”. 

Weaknesses discovered during a government audit 

Weaknesses identified during a government audit (i.e., Inspector General or GAO audit) shall be documented in the POA&M after the audit draft report is produced, regardless of CMS acceptance of the identified weakness(es). Disagreements on findings that cannot be resolved between CMS and the auditing office shall be elevated to the Department for resolution. Systems must review and update POA&Ms at least quarterly. In addition, compensating controls must be in place and documented until weaknesses are remediated or mitigated to an acceptable level of risk.

CFACTS

Stakeholders must use CFACTS, the CMS GRC tool, to identify, track, and manage all system weaknesses and associated POA&Ms to closure for CMS information systems. Users who need access to CFACTS may request an account and appropriate privileges through the Enterprise User Administration (EUA). The job code is CFACTS_User_P. Once the job code is assigned, the user must email the CISO mailbox at ciso@cms.hhs.gov to notify the CISO of the user’s role (ISSO, System Developer, or System/Business Owner).

The CFACTS User Manual provides detailed instructions for processing POA&M actions in the CFACTS tracking system. The User Manual can be accessed under the CFACTS Documents section on the CFACTS Artifacts page which can be accessed by clicking on the CFACTS Artifacts icon on the welcome page.

POA&M Glossary

The following glossary will help system teams understand the language of the POA&M process.