IAO-05.1: Plan of Action & Milestones (POA&M) Automation
Automated mechanisms exist to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
Control Question: Does the organization use automated mechanisms to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available?
General (3)
| Framework | Mapping Values |
|---|---|
| NIST 800-53 R4 | CA-5(1) |
| NIST 800-53 R5 (source) | CA-5(1) |
| NIST 800-53 R5 (NOC) (source) | CA-5(1) |
US (1)
| Framework | Mapping Values |
|---|---|
| US CMS MARS-E 2.0 | CA-5(1) |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
Level 3 — Well Defined
Information Assurance (IA) is standardized across the enterprise and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Cybersecurity personnel implement and maintain an established Information Assurance Program (IAP) capability to conduct “business as usual” pre-production cybersecurity and data privacy control testing focused on the concept of “security and data privacy be design and by default.”
- The IAP validates that systems/applications/services/processes are both secure and compliant.
- A Governance, Risk & Compliance (GRC) function, or similar function, facilitates the implementation of cybersecurity and data protection controls to ensure that secure engineering practices are designed and implemented throughout the lifecycle of systems, applications and services both internal and external to the organization.
- A Project Management Office (PMO), or project management function, ensures project involvement for IAP as part of the organization's established project management processes.
- A Plan of Action and Milestones (POA&M) or similar mechanism, exists to document planned remediation actions to correct weaknesses or deficiencies noted during the assessment of the security controls, helping to reduce or eliminate known vulnerabilities.
- Administrative processes prevent systems/applications/services/processes from “going live” in a production environment without first going through the IAP process.
- The IAP uses a tiered approach to conformity testing, based on (1) the sensitivity of data that is stored, processed and/ or transmitted and (2) the criticality of the system/application/service/process.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
Assessment Objectives
- IAO-05.1_A01 automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action for the system are defined.
- IAO-05.1_A02 organization-defined automated mechanisms are used to ensure the accuracy, currency, and availability of the plan of action for the system.