Plan of Action and Milestones
Security Assessment and Authorization Policy for 18F
18F has developed a plan of action and milestones (POA&M) for the information system which documents the remediation actions to correct weaknesses found or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.
The majority of vulnerabilities are found during continuous monitoring activities including monthly vulnerability scanning, updates to cloud.gov systems components, static code analysis on applications and infrastucture and system monitoring tools. The 18F ISSOs are tasked with developing plans of actions and milestones for valid findings and vulnerabilities. The devops administrators are tasked to mitigate high findings within 30 days, moderate findings within 60 days and low findings within 120 days.
The 18F ISSOs updates the cloud.gov plan of action and milestones at least monthly based on the findings from security controls assessments, security impacy analysis, and continuous monitoring activites. Covered By: