This week, FedRAMP published a weekly tip that discusses POA&Ms and testing evidence timeliness.
Q: What purpose does the Plan of Action & Milestones (POA&M) document serve?
A: The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s risk mitigation strategy. The POA&Ms include the findings and recommendations of the security assessment report and the continual security assessments. The POA&M identifies: (i) the tasks the CSP plans to accomplish with a recommendation for completion either before or after information system implementation; (ii) any milestones the CSP has set in place for meeting the tasks; and (iii) the scheduled completion dates the CSP has set for the milestones.
FedRAMP uses the POA&M to monitor CSP progress in correcting weaknesses or deficiencies noted during the initial assessment, annual security control assessment, and throughout the continuous monitoring process. The POA&M has columns labeled from A through Z which must be filled in for each row which is a uniquely identified vulnerability.
Use the FedRAMP Plan of Action and Milestones (POA&M) Template to track and manage POA&Ms.
The POA&M workbook has two spreadsheets, the “Open” tab and the “Closed” tab. The Open POA&M spreadsheet includes known security weaknesses within the cloud information system. Open POA&M items must comply with the following:
- If a finding is reported in the Security Assessment Report (SAR) and/or in the continuous monitoring activities, the finding must be included as an item on the POA&M
- False positives identified in the SAR (Appendices C, D, and E), along with supporting evidence (for example, clean scan report) do not have to be included in the POA&M
- Each line item on the POA&M must have a unique identifier. This unique identifier must pair with a respective SAR finding and/or any continuous monitoring vulnerability
- All high and critical risk findings must be remediated prior to receiving a JAB Provisional Authorization
- High and critical risk findings identified following JAB Provisional Authorization through continuous monitoring activities must be mitigated within 30 days after identification
- Moderate findings shall have a mitigation date within 90 days of JAB Provisional Authorization date or within 90 days of identification as part of continuous monitoring activities
The POA&M must be submitted in an appropriate format for the FedRAMP automated processes
Q: When submitting a completed authorization package to FedRAMP, what are the three categories of testing evidence with timeliness criteria? Please define the timeliness criteria required.
A: The three categories of testing evidence with timeliness criteria are penetration testing, security controls testing, and vulnerability scanning. Vulnerability scanning must be for Operating System (OS)/infrastructure, databases, and web application components. The CSP/3PAO must ensure that the associated testing evidence is considered “timely” by the PMO (JAB & PMO follow same requirements).
Timeliness Requirements for Penetration Testing
- When submitting a completed authorization package to FedRAMP to begin the JAB P-ATO process, the Penetration Test cannot be older than 6 months
- CSPs should ensure the Penetration Test is executed as close as possible to a CSP’s submission of the authorization package
- Once a JAB P-ATO is granted, CSPs must have a 3PAO complete a new Penetration Test at minimum once a year
Timeliness Requirements for Security Control Testing
- When submitting a completed authorization package to FedRAMP, security control testing evidence must be current within:
- 120 days, if the system does not have an existing FedRAMP Agency authorization
- 12 months, if the system has an existing FedRAMP Agency authorization
Timeliness Requirements for Vulnerability Scanning
- When submitting a completed authorization package to FedRAMP to begin the JAB P-ATO process or the Agency ATO process, the scans completed by a 3PAO and reflected in the Security Assessment Report (SAR) must be current within 120 days
- Additionally, CSPs must submit scans and a POA&M current within 30 days prior to the date of the JAB P-ATO process kickoff
- During the JAB P-ATO process and afterwards, vendors must submit monthly vulnerability scans, in accordance with security controls RA-5 and RA-5 (5); and matching POA&Ms, in accordance with security control CA-5
- Agency ATO systems should be submitting timely monthly scan results and POA&Ms to the partnering agency(ies)
Read more about this week’s FedRAMP’s Tip and cues here.