TABLE OF CONTENTS I don t believe in failure. It is not failure if you enjoyed the process.
Oprah Winfrey
Understanding how to resolve the reported vulnerabilities is the final step in the C&A process.
Whether you receive full Accreditation and an Authority to Operate (ATO), or an Interim Authority to Operate (IATO), you will be required to correct weaknesses related to your security controls. If you were awarded an IATO, there will likely be far more weaknesses that you ll need to correct than if you were awarded an ATO. The weaknesses need to be identified and described in a document known as the Plan of Action & Milestones (POA&M). The POA&M represents the ISSO s to-do list and typically needs to be approved by the evaluation team that evaluated the C&A package before they send in the recommendation for accreditation.
The objective of the POA&M is to have all the vulnerabilities and below-standard security controls identified and listed in one consolidated document. The POA&M is the final output of the certification and accreditation process and is where OIG and GAO are going to look to determine what your plans are to reduce the risks to your systems going forward.
Typically the POA&M is created by the ISSO. However, the ISSO may delegate this task to a staff member or contractor. There should be a separation of duties between whoever develops the POA&M and the folks who will be required to implement the corrective action requirements. Once your POA&M is...
