The Federal Risk and Authorization Management Program has added two new columns to the Plan of Actions and Milestones template to help agency partners track findings related to the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 and related common vulnerabilities and exposures.
FedRAMP said Tuesday Column AC should be used to monitor the due date of any BOD 22-01 vulnerability, while Column AD should be utilized to determine whether a CVE is associated with vulnerabilities listed on the POA&M line item.
The columns should be left blank in the event that providers found no association between BOD 22-01 findings or CVE and those listed on the POA&M line item.
According to the POA&M completion guide, the POA&M is a key document in the security authorization package and helps identify a system’s security deficiencies and weaknesses and outlines the specific measures a cloud service provider will take to address such lapses.
