Update to the Plan of Actions and Milestones Template
FedRAMP updated the Plan of Actions and Milestones (POA&M) template to include two new columns. The additional columns were added at the behest of agency partners to help them track Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 22-01 findings, and the associated Common Vulnerabilities and Exposures (CVEs).
- Column ‘AC’: Titled as the ‘Binding Operational Directive 22-01 Due Date’ should be used to track the due date of any BOD 22-01 vulnerability as the due date appears in the CISA Known Exploited Vulnerabilities Catalog. If the POA&M line item is not associated with any BOD 22-01 vulnerability, this cell should be left blank.
- Column ‘AD’: Titled as ‘CVE’ - should now be used to track the CVE’s associated with the vulnerabilities listed on that POA&M line item (if applicable). If there are no CVE’s associated with that vulnerability, it should be left blank.
These columns can be found at the end of the current template headers in Row Five.
For more guidance around the purpose and requirements of the POA&M, please review the FedRAMP Plan of Actions and Milestones Completion Guide.