“Death by POAM” writes:
I just started a new job and I am a bit surprised at what I am seeing with the POA&Ms for the various systems in my new agency. At my previous place of employment we carefully maintained POA&Ms for several systems. In all cases, each line item represented one “weakness” identified during testing or monitoring of the system’s compliance. Within each line item there would be one or more “milestones” representing specific corrective steps which, in some cases, corresponded to the corresponding non-compliant controls or CCIs. When I saw the POA&Ms at my new place, I was shocked to say the least. They have a separate line item on the POA&M for each non-compliant control or CCI. It makes the POA&Ms so big and unwieldy! I mentioned this to one of the other ISSOs and she was very adamant that “this is the way RMF tells us to do it”. If that’s true, the POA&Ms at my old place were just wrong. Is she right about this? Have I been doing POA&Ms wrong all these years?
Dr. RMF Responds:
Dr. RMF is not aware of anything in the NIST or DoD RMF publications that speaks directly to this question of “granularity” in the POA&M. So long as all the non-compliances and security weaknesses are covered by the POA&M one way or another, it ought to be acceptable. In Dr. RMF’s opinion, the way you were doing it on your old job, i.e., one line item per “weakness”, actually makes more sense from a management perspective. I would much rather see a POA&M that clearly delineates the security weaknesses or issues that require attention rather than a ponderous list of controls and CCIs that may be technically accurate but does not clearly convey what is truly going on. For example, if my system does not have a functional alternate processing (COOP) site, there will probably be numerous controls and CCIs that are non-compliant, but the bottom line is this should best be viewed as a single security issue requiring attention (and re-sources).
That said, however, I do know quite a few Authorizing Officials, and, in some cases, even entire commands, do recommend … or even require … the “one line item per non-compliant control/CCI” approach. Some even go so far as to require a separate POA&M line item for every non-compliant STIG item! Ouch!
Dr. RMF’s advice is to pose this very question to your AO or AO Designated Representative and see what they have to say. That should clear up any ambiguity going forward.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/