Hello and welcome to the NIST 800-171 Learning Path. My name is Dave Hatter, I'm your instructor for this class and this is Course 5. Create a plan of actions and milestones, otherwise known as a POAM. In this course, we'll do an overview of the plan of actions and milestones. We'll take a look at creating a POAM using an Excel template. Let's jump right in. What is a POAM? Well, Per NIST 800-18 R1, it's quote, "A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones and meeting the tasks, and scheduled completion dates for the milestones." Again, this has given you some guidance here on what you need in your POAM. Remember, the POAM is there to outline how you're going to meet the requirements that you haven't satisfied yet. It outlines how and when your company plans to meet the requirements that you haven't yet satisfied. The milestone should include estimated completion dates to demonstrate you're serious about fixing deficiencies. You can use this to manage the implementation of the controls that you need to satisfy any unsatisfied requirements of NIST 800-171. Like the system security plan, it does require a certain level of IT knowledge. If we look at our next slide here, why do we need a POAM? Well, it's actually required by NIST 800-171 in requirement 3.12.2, which is develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities and organizational systems. Again, it's actually one of these specific requirements of NIST 800-171 that you have a plan of actions and milestones. Again, this is your plan for how you're going to satisfy the unsatisfied requirements of 800-171. Again, I like to refer back to 800-171 a, so you can see exactly what NIST is saying about these things. You can see in the assessment objective for your POAM, 3.12.2 a, deficiencies and vulnerabilities to be addressed by the plan of action are identified. 3.12.2 b, a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. 3.12.2 c, the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. Again, they're telling you what you need to do with your plan of action and milestones. They don't tell you exactly how to do it, but they're giving you some guidance here. That's why I like 800-171 a for guidance on how to meet each of the requirements. As you think about how to create your plan of action and milestones, make sure you take these into account. Then you can see there the potential assessment methods and objects examined security assessment and authorization policy, procedures, addressing plan of action, system security plan, security assessment plan, security assessment report, security assessment evidence, plan of action, other relevant document or records. Interview, personnel with plan of action development and implementation responsibilities, personnel with information security responsibilities, and then test, mechanisms for developing, implementing, and maintaining plan of action. Again, in 800-71 a, they're giving you some guidance about how to go about creating your POAM. It is a requirement directly defined in NIST 800-171. Of course, it could be given to an assessor as part of the assessment process. Let's talk about creating your POAM. Again, there is no prescribed format and this doesn't tell you exactly how it has to be structured. They do have a free template. I have a link to it there. I use their template to basically create my own Excel spreadsheet. It's very similar. It's got a few different columns, but because it's an Excel, it's a little easier to work with, a little more flexible, in my opinion. Then just a reminder to keep the assessment objectives in mind as you work through your POAM. That's everything for this particular video, I will see you in the next video, where we'll actually take a look at creating a POAM. Thanks for watching and see you soon.
