NIST 800-171 • LEVEL 2 • SECURITY ASSESSMENT AND MONITORING
3.12.2 — Plan of Action and Milestones
Develop a plan of action and milestones for the system: To document the planned remediation actions to correct weaknesses or deficiencies noted during security assessments and To reduce or eliminate known system vulnerabilities. Update the existing plan of action and milestones based on the findings from: Security assessments, Audits or reviews, and Continuous monitoring activities.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- a plan of action and milestones for the system is developed to document the planned remediation actions for correcting weaknesses or deficiencies noted during security assessments.
- a plan of action and milestones for the system is developed to reduce or eliminate known system vulnerabilities.
- the existing plan of action and milestones is updated based on the findings from security assessments.
- the existing plan of action and milestones is updated based on the findings from continuous monitoring activities.
- the existing plan of action and milestones is updated based on the findings from audits or reviews.
Practitioner Notes
A Plan of Action and Milestones (POA&M) is your to-do list for security gaps. When an assessment finds something that is not right, you document it here along with what you are going to do about it and when you will have it done.
Example 1: Your Nessus scan found that SMBv1 is still enabled on three file servers. Your POA&M entry would say: "Disable SMBv1 on SRV-FILE01, SRV-FILE02, SRV-FILE03 via GPO (Computer Configuration > Administrative Templates > Network > Lanman Server > SMB Minimum version). Responsible: IT Admin. Due: 30 days. Milestone: GPO tested in dev by day 14."
Example 2: Your assessment found that endpoint detection logs are not being forwarded to a central location. The POA&M entry: "Configure Microsoft Defender for Endpoint to stream alerts to the SIEM via the Settings > APIs > SIEM connector in the M365 Defender portal. Responsible: Security team. Due: 45 days."
Keep this document alive. Review it monthly, update completion percentages, and close items as they are resolved. Your assessor will want to see this.