Using the results of a Security Test and Evaluation we performed for the U.S. Department of Health and Human Services (HHS), along with input from HHS administrators and management, TDI prepared a plan of action and milestones (POA&M). TDI's POA&Ms are designed to facilitate review, analysis, and decision making for performance improvement in implementing corrective actions. TDI ensured that our POA&M was fashioned to be used as a point of comparison for HHS to compare its progress in the area of IT security.
TDI developed the HHS POA&M to describe the security measures that were implemented or planned:
- to correct any deficiencies noted during the assessment of security controls in the HHS system; and
- to reduce or eliminate known vulnerabilities in the HHS system.
TDI formatted the POA&M per National Institute of Standards and Technologies (NIST) guidelines and included our findings and recommendations. TDI provided HHS with a POA&M that included: security weaknesses pertinent to SSP-MPKI components; schedule tracking of weakness remediation; and resources required to remediate a weakness.
Using TDI to develop POA&Ms demonstrated that HHS exercised due diligence in addressing its security concerns. Our experience in POA&M development allowed HHS to demonstrate to both its internal auditing body as well as the U. S. Office of Management and Budget (OMB) that it was adequately identifying, estimating remediation for, and addressing security vulnerabilities that TDI previously helped to discover. More importantly, our POA&Ms allow HHS to chart a roadmap for increasing its security posture.