Plan of Action and Milestones (POA&M)

What is a POA&M?

When regular audits are conducted to assess the security posture of CMS information systems (and when new systems are being developed) there will inevitably be times that improvements or adjustments are needed. This isn’t a negative reflection on the Business Owner, ISSO, or system builder – it’s just a result of the fact that security is never “done”. Cyber threats are always evolving, and changes to systems or how they operate can also introduce new risks. 

The process to mitigate risks and weaknesses in CMS systems is called a Plan of Action and Milestones (POA&M). A POA&M is created whenever audits reveal an area of weakness in security controls. This is an opportunity to strengthen or “harden” your system through carefully planned improvements – which boosts the overall resilience of our agency’s cyber infrastructure. The CMS security staff and your integrated team are ready to help you along the way.

What is the POA&M process?

POA&Ms are created and tracked in the CMS FISMA Controls Tracking System (CFACTS). The process is briefly summarized below. You can find detailed information about POA&Ms in the CMS Plan of Action and Milestones (POA&M) Handbook.

Receive audit reports

Throughout the year, ongoing assessments and audits are conducted on systems to help improve overall security stature at CMS. Sometimes these activities result in “findings” — threats and vulnerabilities that exist in our programs or security systems which require attention.

After an assessment or audit, you’ll receive a report that shows potential areas of concern. Risks are always present and always changing, and audit findings help us uncover them. There are various methods and time frames for resolving these findings, but all findings must follow a distinct remediation process. We look carefully at the finding source (how and where the weakness was identified) to determine what template to use to report the finding to you.

Find opportunities to improve security

If a potential threat or vulnerability is found in your system, start by discussing it with your integrated project team to make sure you fully understand its implications. Whoever conducted the audit or assessment will document the finding using the CMS Assessment and Audit Template (CAAT). It will explain where the system is performing as expected and where it could be strengthened. 

Auditors and assessors use the term "weakness" in their reports to describe threats and vulnerabilities. Sometimes the risk can be fixed right away, and sometimes a POA&M is needed. Occasionally, some of these threats and vulnerabilities may be addressed to some degree through an existing, compensating control, and your team may decide that the risk is acceptable.

Analyze risks and options

If your program or system is at risk, you will need to consider the Risk Level and Severity Level. A Risk Level is calculated based on the likelihood of the risk being exploited, and the potential resulting impact on the system and users. The Severity Level considers the significance that the weakness(s) poses to your system and the agency’s overall security and privacy posture. 

Analyzing threats and vulnerabilities requires an impact assessment, and consultation with your integrated project team and vendor supports. Several methodologies may be used during this phase, including a Root Cause Analysis – which helps you uncover the actual cause(s) and not just a symptom of the finding. 

Using the results of these analyses, you and your team will consider options for how to address the findings and associated risks. Ultimately there are two choices:

• Deem the risk “acceptable” and develop a Risk-Based Decision (RBD) to explain your justification for accepting the risk
• Deem the risk “unacceptable” and move on to develop a mitigation strategy

Develop a corrective action plan

The Corrective Action Plan forms the foundation of the POA&M. It describes the identified weaknesses, any associated milestones, and necessary resources required. Developing this plan should be a collaborative process, with input from your integrated project team and other stakeholders.

The milestones in your plan must provide specific descriptions of the steps your team will take to mitigate the finding. Each finding must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the finding.

Once the plan is formally documented, it is entered into CFACTS as a series of milestone records. The status of the POA&M will automatically be moved from “draft” to “ongoing” 30 days after the creation date.

Put the plan into action

Once your POA&M is approved, possibly with additional recommendations from ISPG support staff, you will take steps to put the plan into action. You need to determine the specific funding and personnel resources needed to mitigate each finding on the POA&M. In most cases, the existing resources allocated to a program or system will be sufficient, but occasionally you may need to request additional funding or personnel.  

Next, you will work with your vendor(s) to create and test the appropriate safeguard(s) and countermeasures that mitigate the risks. This can take a few weeks or several months depending on the complexity of the change. In some cases, a third party software vendor may need to issue a patch or fix.

The steps and timeline to complete your POA&M may need to be adjusted along the way. A POA&M is a living document that should be continually updated as circumstances evolve.

Report on progress

POA&Ms should be reviewed and updated in CFACTS on a continuing basis to show that they are on track for completion. CMS requires that all information in the POA&M should at minimum be updated monthly and be accurate on the first day of each month for tracking and reporting purposes.

Regular POA&M reporting helps to ensure that:

• Vulnerabilities or "weaknesses" are properly identified and prioritized
• Adequate resources have been allocated and assigned
• Timeline to mitigate vulnerabilities is achievable

A vulnerability must have a milestone entered with it that identifies specific actions of mitigation and a completion date to denote progress. Identifying the status of a corrective action demonstrates that the POA&M is a part of an ongoing monitoring process.

Confirm POA&M completion

When your new safeguard(s) are tested and approved for release, you are almost across the finish line! You’ll need to confirm the successful resolution of vulnerabilities and provide artifacts related to the POA&M completion. Examples of such artifacts may include control text results, a policy or procedure document, a screenshot of a patch applied, or other new system documentation. 

Cyber Risk Advisors at ISPG will review certain POA&M findings. Based on a risk determination and the evidence provided, they will decide if the finding has been adequately addressed and corrected. The initial findings that prompted the creation of a POA&M should not be marked “completed” until they are proven to be fully resolved. When completion is confirmed, the ISSO will mark the POA&M closed in CFACTS.

Completed POA&Ms must remain on the monthly POA&M report for one year after their completion date. The artifacts are stored in CFACTS and retained for at least one year with the completed POA&M.

POA&Ms and continuous monitoring

Besides requiring corrective actions to mitigate weaknesses, CMS continuously monitors risk across all systems so that resources can be allocated effectively. It’s important to understand how this continuous monitoring affects the POA&M process.

POA&M reporting

CMS submits POA&M reports to HHS at least once a month to show the status of mitigation activities. The information within a POA&M must be maintained continuously so that CMS reports are reflective of the current state. The reports to HHS also include:

• Completed POA&Ms, for a year after their completion
• Delayed POA&Ms, along with an explanation for their delay and a revised estimated completion date

Risk Based Decisions (RBD)

Sometimes a Business Owner and their project team may decide to accept potential risk(s) identified by assessment findings. They must create a Risk Based Decision (RBD) to explain the reasoning and the accepted risk. As part of continuous monitoring across CMS, all RBDs are reviewed annually to ensure the risk remains acceptable. Risk Based Decisions may be updated as events occur and information changes. RBDs are managed in CFACTS under the "RBD" tab.

Risk evaluation and prioritization

As POA&Ms are being worked on across all CMS systems, risk evaluation, and prioritization continue through ongoing assessments and audits. When a new, critical weakness is discovered, resources may need to be shifted to remediate it appropriately. Weaknesses that were once deemed a high priority may not continue to receive the same level of consideration as risks and threats evolve.

POA&Ms are an essential part of CMS’ ongoing efforts to maintain a resilient cyber infrastructure and to protect the sensitive information of our beneficiaries. Each new safeguard or countermeasure implemented helps to reduce risk and improve our security and privacy posture.