The Federal Risk and Authorization Management Program was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of commercial cloud services by the federal government and contractors supporting agencies. FedRAMP promotes the adoption of secure cloud services by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. FedRAMP mandates the use of numerous templates and documents in support of the compliance requirements required for certification. During the Continuous Monitoring phase of the FedRAMP authorization, a CSP must maintain and provide a FedRAMP POA&M artifact that follows the prescribed template.
POA&M (aka POAM) stands for “Plan of Action and Milestones.” It is a document used to track and report on the progress of security controls implementation and compliance efforts for cloud systems and services. POAM management is required for any cloud service that is seeking FedRAMP certification. The POAM outlines the specific security controls that are required for the system, as well as the schedule for implementing those controls and the milestones that will be used to measure progress. The POAM is also used to track any issues that arise during the certification process, and to document the resolution of those issues.
The POA&M is a key document in the security authorization package and monthly continuous monitoring activities. It identifies the system’s known weaknesses and security deficiencies, and describes the specific activities the CSP will take to correct them. A CSP applying for a FedRAMP JAB P-ATO, or a FedRAMP Agency ATO, must establish and maintain a POA&M for their system in accordance with this POA&M Template Completion Guide using the FedRAMP POA&M Template.
The purpose of the POA&M is to facilitate a disciplined and structured approach to tracking risk mitigation activities in accordance with the CSP’s priorities. The POA&M includes security findings for
the system from periodic security assessments and ongoing continuous monitoring activities. The
POA&M includes the CSP’s intended corrective actions and current disposition for those findings.
Here are some helpful links and resources for CSP looking to obtain and maintain FedRAMP compliance and authorization:
For CSP’s responsible for managing the creation and submission of POAM documents to the FedRAMP PMO and agencies, should note that the FedRAMP PMO, in collaboration with NIST, is working to digitize the authorization package through the development of a common machine-readable language, also known as the Open Security Controls Assessment Language (OSCAL). With OSCAL, activities associated with preparing, authorizing, and reusing cloud products and services will require less time and resources. The FedRAMP PMO has published a guide to develop and deliver POAM data in OSCAL format.