Overview
Plans of Action and Milestones, also known as POA&Ms, are a standard US government or high compliance environment method for documenting remediation tasks related to risks in your environment. Simply, it is a document that “identifies tasks needing to be accomplished” (https://csrc.nist.gov/glossary/term/POAM) to include all the related data for external auditors to review a vulnerability management program.
Many government organizations rely on POA&Ms to manage their process for granting Authorities to Operate (ATOs). For more information on how POA&Ms are used, it may be useful to check out how the Center for Medicare and Medicaid Services (CMS) use POA&Ms to manage their ATOs: https://security.cms.gov/learn/plan-action-and-milestones-poam
Any FedRAMP organization or a product wanting to become FedRAMP-certified is required to leverage POA&Ms to track their risk remediation process and outcomes. The outcome is generally rolled up into a Continuous Monitoring (ConMon) report that is shared with Federal Auditors (partially seen below).
Supported Versions
Nucleus supports FedRAMP Revision 5 (v2.1) and FedRAMP 4 (v2.0) templates
Usage
Nucleus provides the ability inside to Nucleus to map and manage POA&Ms within the platform, tied directly to the vulnerability findings generated by your vulnerability scanning tools.
There are 27 distinct fields that must be generated on a continuous basis for every vulnerability in your environment, partially seen below from the standard FedRAMP POA&M template.
.png "image(364).png")
All of the fields are managed and required to be reported in either excel or OSCAL. Nucleus provides the capability within the platform to manage all of the required POA&M fields. An example can be seen on the “Vulnerabilities > Active > Vulnerability Details > Instances > POA&Ms” tab
.png "image(365).png")
As you can see, you have the ability to add any of the POA&M fields directly onto a vulnerability, compliance finding, or configuration finding record. This allows for 3 main benefits:
Reduce manual work - POA&Ms are linked directly to the findings so that as new vulnerability data is ingested, POA&M fields are carried forward. No more need to copy and paste from one old excel sheet to a new one.
Automated detection of changes - Because POA&Ms are managed in Nucleus along with the finding, you can leverage finding automation to manage parts of your POA&M documentation.
Automatic Report Generation - Every month, instead of manually compiling an excel report, you can leverage all your compliance work inside Nucleus and generate the ConMon report directly out of Nucleus with minimal edits, allowing your team to focus on preparing for the conversation instead of worrying about documentation errors.
Automated POA&M Workflows
There are some common POA&M actions that are required to manage, many of which can leverage the Automation Workflows in Nucleus. When you have the POA&M module enabled, you will see new actions available to you in the Automation engine, which include populating every single field in a POA&M
.png "image(366).png")
Example: Automatically create a POA&M when SLA is not met
One common example of how to leverage a Nucleus automation workflow to automate POA&M management is creating a POA&M when the patch date is passed. You are not required to create a POA&M for certain vulnerabilities until an SLA is not met. In Nucleus, you would configure the workflows in the following way to achieve this outcome:
Navigate to “Automation > Finding Processing” and select “+ Add Rule”.
In the match criteria, select the vulnerability severity on the findings where you want to apply these actions.
In this example, let’s use Severity of Critical
Navigate to the “Actions” tab, and select “Set Due Date”
Set a due date for 30 days from “now” or “discovered date”
Save the rule
Optionally click “Run Now” to apply the rule we just created to all findings already in Nucleus. This rule will run every time new data is ingested into the platform.
This rule is now complete and is setting an SLA patch date for all Critical Severity findings.
Create another rule. This rule will apply on findings which are overdue on their due dates and create POA&Ms.
Click “+ Add Rule”
In the match criteria, use the “Due Date" = “Overdue”. This will select findings that are overdue on their SLA.
Navigate to the Actions tab, and select a POA&M action, such as “Add remediation plan”.
Note: You can select multiple actions in one rule
Select Save
You have now configured Nucleus to automatically set the due date for vulnerabilities, and then to also create POA&Ms automatically when a due date passes on a particular finding. This is one example of many where you can automatically assist with populating POA&Ms using Nucleus automation.
Filter by POA&Ms
In order to see which findings in Nucleus have POA&Ms already, you have the ability to search for all findings where POA&Ms exist, or you can search by the POA&M ID (including your Display ID). To do this,:
Navigate to “Vulnerabilities > Active” and select the “Filter” button in the table header.
Use the “POA&M” filter
.png "image(368).png")
You can search for any findings where the POA&M exists or you can search for specific POA&Ms using the “is one of” filter option and pasting in a POA&M ID.
Appendix - List of Field Mappings
POA&M Field | Nucleus Field | Description |
|---|---|---|
POAM ID | Either generated using the poam_id field or the "poam_display_id” | Automatically generated by Nucleus, or leverages the display id which can be filled out by the customer |
Controls | controls | Automatically populated from the scan data |
Weakness Name | Finding Name | Automatically populated in Nucleus based on the latest scan information |
Weakness Description | Finding Description | Automatically populated in Nucleus based on the latest scan information |
Weakness Detector Source | Source | Automatically populated in Nucleus based on the latest scan information |
Asset Identifier | Asset Name (plus secondary matching information) | Automatically populated in Nucleus based on the latest scan information |
Point of Contact | Point of Contact | Customer can set this value as part of the POA&M module |
Resources Required | Resources Required | Customer can set this value as part of the POA&M module |
Overall Remediation Plan | Remediation Plan | Customer can set this value as part of the POA&M module |
Original Detection Date | Discovered Date (unique finding level) | Automatically populated in Nucleus based on the latest scan information. This leverages the discovered_date of the unique vulnerabiliy finding |
Scheduled Completion Date | Scheduled Completion Date | Customer can set this value as part of the POA&M module |
Planned Milestones | Finding Milestones | Customer can set this value as part of the POA&M module |
Milestone Changes | Milestone Changes | Automatically tracked when users change their milestones in the platform |
Status Date | Status | Automatically populated in Nucleus when the status of the finding is changed |
Vendor Dependency | Vendor Dependency | Customer can set this value as part of the POA&M module |
Last Vendor Check-in Date | Last Check In | Customer can set this value as part of the POA&M module |
Vendor Dependent Product Name | Vendor Dependent Product | Customer can set this value as part of the POA&M module |
Original Risk Rating | Severity - Original | Automatically populated in Nucleus based on the latest scan information |
Adjusted Risk Rating | Severity - Current (only if adjusted) | Automatically populated in Nucleus based on the latest scan information, and uses any severity adjustments from automation or manual to populate this field |
Risk Adjustment | Risk Adjustment | Set to true automatically if Original Risk Rating and Adjusted Risk Rating are different |
False Positive | Finding Status | Automatically set to True if the finding’s status is set to “False Positive” |
Operational Requirement | Operational Requirement | Customer can set this value as part of the POA&M module |
Deviation Rationale | Severity Adjustment Comment | This is automatically populated from the comment that is entered when you adjust the severity of the finding in the platform. |
Supporting Documents | Evidence | This is automatically populated from the evidence files uploaded to findings in Nucleus. |
Comments | Finding Comments | Automatically populated from comments on the findings contained in Nucleus. |
Auto-Approve | Auto Approve | Customer can set this value as part of the POA&M module |
Binding Operational Directive 22-01 Tracking | CISA KEV | Automatically populated based on the Nucleus KEV enrichment. |
CVE | Finding CVEs | Automatically populated from the latest scan information. |