On June 22, 2001,
I issued a memorandum on "Reporting Instructions for the Government
Information Security Reform Act" (OMB M-01-24). In the memorandum,
OMB asked each agency to submit, with its September budget request,
a set of program reviews and evaluations of both unclassified
and classified systems, along with an executive summary. In addition,
OMB asked each agency to submit to OMB by October 31, 2001, (with
brief quarterly updates thereafter) "a plan of action with milestones"
to address all weaknesses identified by program reviews and evaluations.
In response to the
June 22nd memorandum, several agencies have asked OMB
to issue more detailed guidance that further describes, and provides
a standard format for, the information that agencies should include
in their plans of action and milestones (POA&M). Working with
representatives of agency program offices and Inspector General
offices, OMB has developed the attached POA&M guidance, which
provides specific instructions and examples for the POA&Ms.
The first POA&M is due by October 31st, but please
notify us if you will need more time. At a minimum, POA&Ms
must address the reporting elements found in the attached guidance.
Agency Chief Information Officers, working with program officials,
budget officers, Inspectors General, and other appropriate agency
officials, are responsible for developing a POA&M for each
program and system for which a weakness was identified during
the annual program review and independent evaluations required
by the Government Information Security Reform Act.
Additionally, the
POA&Ms should either reflect consolidation with or be accompanied
by other agency plans to correct security weaknesses found during
any other review done by, for, or on behalf of the agency, including
GAO audits, financial system audits, and critical infrastructure
vulnerability assessments. Thus, the submission of these POA&Ms
includes, but does not necessarily replace, all security remediation
plans that an agency might have. By reflecting the enterprise
security needs of an agency, a consolidated POA&M provides
a roadmap for continuous agency security improvement, assists
with prioritizing corrective action and resource allocation, and
is a valuable management and oversight tool for agency officials,
Inspectors General, and OMB.
The attachments provide
specific instructions and examples for the POA&Ms.
POA&Ms should
be sent to:
Office of Management
and Budget
New Executive Office Building, Rm 10236
725 17th St, NW
Washington, DC 20503
Questions and comments
should be directed to Kamela White at kgwhite@omb.eop.gov
or 202-395-3630.
Preparing and Submitting
Security Plans of Action and Milestones
What is a
POA&M?
A plan of action and
milestones (POA&M) is a tool that identifies tasks that need
to be accomplished. It details resources required to accomplish
the elements of the plan, any milestones in meeting the task,
and scheduled completion dates for the milestones.
The purpose of this
POA&M is to assist agencies in identifying, assessing, prioritizing,
and monitoring the progress of corrective efforts for security
weaknesses found in programs and systems.
When is the
POA&M due?
The first POA&M
is due to OMB on October 31, 2001. Please notify Kamela White
in OMB to request more time based on agency need. Thereafter,
brief status updates must be submitted on a quarterly basis. The
first quarterly update is due to OMB on January 31, 2002.
How many POA&Ms
should an agency prepare?
An agency should develop
a separate POA&M for every program and system for which weaknesses
were identified in the Security Act reports, as well as those
discovered during other reviews including GAO audits, financial
system audits, and critical infrastructure vulnerability assessments.
Thus, the POA&Ms should either reflect consolidation with,
or be accompanied by, other agency plans to correct security weaknesses
found during any other review done by, for, or on behalf of the
agency, including GAO audits, financial system audits, and critical
infrastructure vulnerability assessments.
Who uses the
POA&M?
These plans are designed
to be used largely by: (1) CIOs, program officials, and other
appropriate agency employees to track progress of corrective actions;
(2) IGs to perform follow-up work with agencies; and (3) OMB to
assist in its oversight responsibilities and to inform the budget
process.
How is the
POA&M tied to the budget process?
To promote greater
attention to security as a fundamental management priority, OMB
continues to take steps to integrate security into the capital
planning and budget process. This integration is already producing
tangible benefits by promoting security that comports with the
agency's enterprise architecture, supports business operations,
and is funded within each information system over its life-cycle.
To further assist in this integration, the POA&Ms and annual
security reports and executive summaries (1)
must be cross referenced to the budget materials sent to OMB in
the fall including exhibits 300 and 53.
Specifically, for
each POA&M that relates to a project (including systems) for
which a capital asset plan and justification (2)
(exhibit 300) was submitted or was a part of the exhibit 53, the
unique project identifier must be reflected on the POA&M.
This identifier will provide the link to agency budget materials.
Also, for each POA&M for which there is an associated capital
asset plan, agencies must also provide the security costs reported
on the Exhibit 53 (3).
On all POA&Ms
which reflect estimated resource needs for correcting reported
weaknesses, agencies must specify whether funds will come from
a reallocation of base resources or a request for new funding.
While the POA&Ms will not be used as agency funding requests
by OMB, a brief rationale should be provided when a request for
new funding is contemplated.
Are there
special considerations for POA&Ms for national security systems
or DOD mission critical systems?
Yes. Due to their
special sensitivity and the unique way they are addressed in the
Security Act, reporting weaknesses in national security systems
as well as certain systems under the control of the Department
of Defense and Intelligence Community is being addressed differently
than for other systems. Although we certainly suggest that agencies
document corrective plans of action for their own use, we are
not prescribing a particular format. Prior to reporting such corrective
action plans to OMB, we request that you consult with us so that
we can make appropriate arrangements as to level of detail and
sensitivity of what you should report. We have made special arrangements
with the Department of Defense and could adapt that procedure
for the use of other agencies in reporting on national security
systems.
What format
should an agency use to create a POA&M?
Agencies should use
the attached spreadsheet-type format for the initial POA&Ms.
At a minimum, agency POA&Ms must contain the information found
on the attached spreadsheet. Each program and system where a weakness
was identified should have its own POA&M.
Because the information
in these plans will likely be sensitive, agencies should submit
POA&Ms to OMB on diskette as a Microsoft Excel spreadsheet.
Please notify Kamela White in OMB if you would like to use a different
submission mechanism.
What format
should be used for the quarterly status updates?
OMB is not prescribing
a specific format for the status updates only that the agency
CIO provide the following information: 1) The total number
of weaknesses identified on the original POA&Ms; 2) the
number of weaknesses for which corrective action was completed
on time (including testing); 3) the number of weaknesses
for which corrective action is ongoing and is on track to complete
as originally scheduled; 4) the number of weaknesses for
which corrective action has been delayed including a brief explanation
for the delay; and 5) the number of new weaknesses discovered
following the last POA&M or status update and a brief description
of how they were identified.
What level
of detail and sensitivity should the POA&Ms include?
Sensitive descriptions
of specific weaknesses are not necessary, but sufficient data
is necessary to permit oversight and tracking. For example, to
the maximum extent practicable agencies should use the types of
descriptions commonly found in reports of the General Accounting
Office and Inspectors General such as "inadequate password controls,"
"insufficient or inconsistent data integrity controls," "inadequate
firewall configuration reviews," "background investigations not
been performed prior to system access," "physical access controls
are insufficient," etc. Where it is necessary to provide more
sensitive data, the POA&M should note the fact of its special
sensitivity.
What security
precautions is OMB taking to adequately protect the POA&Ms?
Aggregated unclassified
POA&Ms in electronic form will be maintained on a stand alone
desktop PC with password controlled access. Access to aggregated
data will be available to the appropriate OMB employees.
POA&M
Instructions
The following instructions
explain how the POA&M should be completed. Attached is one
example POA&M for a program and one for a system. Each illustrates
the appropriate level of detail required. Once an agency has completed
the initial POA&M, no changes should be made to the data in
columns 1, 5, 6, and 7. The heading of each POA&M should include
the unique project identifier from the exhibits 300 and 53, where
applicable. (4)
Column 1 -- Type of
weakness. Describe weaknesses identified by the annual program
review, IG independent evaluation or any other work done by or
on behalf of the agency. Sensitive descriptions of specific weaknesses
are not necessary, but sufficient data must be provided to permit
oversight and tracking. Where it is necessary to provide more
sensitive data, the POA&M should note the fact of its special
sensitivity. Where more than one weakness has been identified,
agencies should number each individual weakness as shown in the
examples.
Column 2 -- Identity
of the office or organization that the agency head will hold responsible
for resolving the weakness.
Column 3 -- Estimated
funding resources required to resolve the weakness. Include the
anticipated source of funding, i.e., within the system or as a
part of a cross-cutting security infrastructure program. Include
whether a reallocation of base resources or a request for new
funding is anticipated. This column should also identify other,
non-funding, obstacles and challenges to resolving the weakness,
e.g., lack of personnel or expertise, development of new system
to replace insecure legacy system, etc.
Column 4 -- Scheduled
completion date for resolving the weakness. Please note that the
initial date entered should not be changed. If a weakness is resolved
before or after the originally scheduled completion date, the
agency should note the actual completion date in Column 9, "Status."
Column 5 -- Key milestones
with completion dates. A milestone will identify specific requirements
to correct an identified weakness. Please note that the initial
milestones and completion dates should not be altered. If there
are changes to any of the milestones the agency should note them
in the Column 7, "Changes to Milestones."
Column 6 -- Milestone
changes. This column would include new completion dates for the
particular milestone. See example.
Column 7 -- The agency
should identify the source (e.g. program review, IG audit, GAO
audit, etc.) of the weakness. Weaknesses that have been identified
as a material weakness, significant deficiency, or other reportable
condition in the latest agency Inspector General audit under other
applicable law, e.g., financial system audit under the Financial
Management Integrity Act, etc. If yes is reported, also identify
and cite the language from the pertinent audit report.
Column 8 -- Status.
The agency should use one of the following terms to report status
of corrective actions: Ongoing or completed. "Completed" should
be used only when a weakness has been fully resolved and the corrective
action has been tested. Include the date of completion. See example.
Sample
Agency or Program-level Plan of Action and Milestones
Agency,
Component, and Program Name -- Department of Good Works, Major
Service Administration
| Weaknesses
|
POC |
Resources
Required |
Scheduled
Completion Date |
Milestones
with Completion Dates |
Changes
to Milestones |
Identified
in CFO Audit or other review? |
Status |
| 1--
No program-level security program/plan |
Program
office and agency CIO |
None |
3/1/02 |
Draft
plan prepared and circulated for user input -- 11/30/01 |
|
Yes--5/17/01
report |
Ongoing |
| |
|
|
|
Comments
reviewed, final draft to Administrator for approval and publication
-- 3/1/02 |
|
|
|
| 2
-- No documented program to report external security incidents
to law enforcement and GSA |
Program
office and agency CIO |
None |
10/31/01 |
Consult
with agency IG, FBI/NIPC, and GSA - 10/15/01 |
|
|
Completed |
| |
|
|
|
Procedures
published, employees trained
10/30/01
|
|
|
|
| 3
-- No documentation for data sensitivity levels -- thus cannot
document acceptable risk and security needs |
Program
office and agency CIO |
Minimal |
1/30/02 |
Review
enterprise architecture (process and data layers) to define
and categorize data type and sensitivity -- 12/1/01 |
|
|
Ongoing |
| |
|
|
|
Identify
acceptable risk for each level, identify protection needs,
document, publish, and implement -- 1/30/02 |
|
|
|
| 4
-- Security not integrated w/capital planning. Not shown in
exhibits 300 & 53 |
Agency
CIO |
Minimal |
1/30/02 |
Review
and update all program exhibits 300 & 53 |
|
|
Ongoing |
Sample
System-level Security Plan of Action and Milestones
Cite unique project
ID and name shown on exhibit 300 and security costs from exhibit
53. If no 300 or 53 cite name only:
Project
ID = Project name =
Security costs =
| Weaknesses |
POC |
Resources
Required |
Scheduled
Completion Date |
Milestones
with Completion Dates |
Milestone
Changes |
Identified
in CFO Audit or other review? |
Status |
| 1 --
Password controls improperly configured and not tested |
Program
office |
None |
10/1/01 |
Reconfigure
and test password controls -- 10/1/01 |
|
Yes |
Completed |
| 2 --
Security plan is out of date, more than one year since last
update despite new interconnections |
Program
office |
None |
11/30/01 |
Update
plan and obtain independent review -- 11/30/01 |
|
No |
Ongoing |
| 3 --
No written management authorization prior to system operations |
Program
office & Agency CIO |
None |
12/30/01 |
Complete
certification and accreditation procedures per up-to-date
security plan and NIST guidance. Obtain written auth -- 12/15/01 |
|
Yes |
Ongoing |
| 4 --
System is contractor operated and contract does not include
FAR security and privacy clause nor are contractor practices
evaluated by agency |
Program
office, contracting officer, and agency CIO |
None |
1/30/02 |
Identify
specific security requirements, including for contractor personnel,
and revise contract accordingly -- 1/30/02 |
|
No |
Ongoing |
| 5 --
System vulnerabilities have not been periodically tested as
specified in OMB policy and Security Act |
Program
office and agency CIO |
Moderate |
1/15/02 |
Arrange
for system vulnerability testing -- 10/15/01 |
|
Yes |
Ongoing |
| |
|
|
|
Identify
from test report, additional required security controls --
11/15/01 |
|
|
|
| |
|
|
|
Implement
and test new security controls and schedule retest -- 1/15/02 |
|
|
|
| 6 --
Life cycle system costs not incorporated into system funding |
Program
office and agency CIO |
None |
10/30/01 |
Identify
costs. Update Exh. 300 & 53. Reallocate funds from lower
system priorities -- 10/30/01 |
|
|
|
1.
Please see OMB M-01-24 of June 22, 2001, "Reporting
Instructions for the Government Information Security Reform Act."
2.
OMB Circular A-11 requires that agencies develop
capital asset plans for all capital asset acquisition projects
and report to OMB, via an exhibit 300, those plans for all major
acquisitions. For information technology projects, plans for both
major and significant projects must be reported to OMB. Agencies
assign a unique identifier to each project and apply it to the
exhibit 300 and 53.
3.
OMB Circular A-11 requires that agencies report
via an exhibit 53, an estimated percentage of the total investment
for associated IT security costs.
4.
OMB Circular A-11 requires that agencies develop
and submit to OMB capital asset plans (exhibit 300) for major
acquisition projects. For information technology projects, plans
for both major and significant projects must be reported to OMB
on an exhibit 300 and 53. The agency assigns a unique identifier
to each project and applies it to both exhibits.