![]() If the weakness that is identified is reportable to the OIG, include the specific language and/or law from the pertinent audit report. Identified in C&A evaluation or other review? State how the weakness was identified (e.g., Security Assessment Report, OIG audit, GAO audit, etc.). Milestones with Completion Dates Identify specific requirements to correct the weakness and include completion dates. If a weakness is resolved before or after the projected completion date, you should show the actual completion date in the status column. Typically the projected completion date cannot be changed. ![]() Projected Completion Date Identify the date for resolving the weakness. To determine resource costs for employees, use the latest agency average salary and benefit hourly rate, then multiply the rate by the number of hours. ![]() This column should also identify other nonfunding obstacles and challenges to resolving the weakness (e.g., lack of personnel or expertise, development of new system to replace insecure legacy system, etc.). Include whether a reallocation of base resources or a request for new funding is anticipated. Include the anticipated source of funding (e.g., within the department or as a part of a cross-cutting security infrastructure program). Resources Required List the estimated funding and resources required to resolve the weakness. POC Include contact information for the office and/or organization that the agency will hold responsible for resolving the weakness. Weakness Include a description of the weakness identified by the annual program review, OIG, or GAO audit. A unique number used by the organization to track mitigation activities. You should make sure the following information is included in each POA&M: ▪ A POA&M is typically put together in tabular format and includes information about the cited weakness or vulnerability, milestones, and cost.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |