Everything that you need to know about POAM
The purpose of the POAM is to make risk assessment and mitigation for cloud based programs as systematic as possible. It exists to identify any existing risks, constantly monitor for new risks, correct or solve risks, and so muchmore. The document has to follow the processes detailed below:
- Identify the security categorization (whether it is low risk, moderate, or high)
- List weaknesses in security controls
- Assess the impact of weaknesses
- Detail the impact of each weakness on the system and environment
- Propose a solution that works around the weakness
- Detail the current progress in solving said weakness.
The CSP (cloud service provider) may find weaknesses during initial testing, while carrying out periodic security control assessments, or during the continual monitoring process. The CSP will make updates to the document on a regular basis as it progresses, and likely submit updates each month to keep on track. It has to locate related goals and provide you with a guide or schedule for achieving them – the template will allow for the creation of ‘open’ items, which can then be changed to closed items whenever they are finally resolved.
While a cloud service provider maintains a POAM as an Excel spreadsheet, the data itself is difficult to represent properly using any current programs or software in existence. There are a few official models that better suit the representation of such data, including XML, JSON, and YAML, but extreme adherence to the structure is required to make sure that the aforementioned models have the capacity to handle the data correctly.
Security Categorization
The ‘security impact levels’ of the data used will suggest a specific categorization, with the highest possible impact level taking center stage. If the system does have high-impact functionality, then the categorization will be determined as ‘high’, and the categorization itself can affect what is deemed an important weakness as well as how urgent the need for a resolution may be. It also identifies what cloud infrastructures might be able to provide you with acceptable security.
Security Levels Explained
- Low – suggests that a breach will have a limited negative impact, causing minor inconvenience but most likely not major harm.
- Moderate – may cause serious harm as a result of the loss of data availability, confidentiality, or integrity. Said harm may include significant financial loss but not life-threatening harm to individuals.
- High – such s breach could cause extreme or even catastrophic harm, maintaining the potential for major damage to assets and potential danger to human life. A high security impact facility may be a power grid or a military research facility.
A CSP that can accommodate moderate and high levels will be able to benefit from a greater number of contracts, but they also have the responsibility that failure to live up to those levels will have very serious consequences. A cloud service provider that takes on such a level of contracts must have solid practices, and their SSP and POAM need to reflect their commitment and skill.
Preparing the Document
To explain briefly, there will be two separate worksheets. One will be used for open items, whereas the other will be used for closed items. Each worksheet begins with a header information description (HID), which provides the reader and system with general information, including:
- Vendor name
- System name
- Impact level
- Date of last update
The rest of each worksheet will include either the open items for the first worksheet, or the closed items for the second.
A more detailed description can be found inside the Template Completion Guide, including:
- Brief description of the weakness
- Which FedRAMP security control has been affected
- The risk rating
- The name of the individual responsible for managing the item
- Any dependencies or goals set
- Any supporting documents that may be useful
- Dates relevant to the system
The ‘open items’ should include three specific categories of differing vulnerabilities. They can be identified through vulnerability scanning tools, through deviation requests made by CSP, or using other means (for example, through penetration testing). You must follow the strict instructions and requirements that have been set by FedRAMP regarding vulnerability scans and penetration testing, as these are essential and can make a big impact.
Items can be transferred from ‘open’ to ‘closed’ either when mitigation is complete or when the item has been declared a false positive. The mitigation has to be verified by a third party assessment organization (3PAO), and any risk adjustments and false-positives need to have a deviation request form before they can be entered into the POAM.
