It’s OK if a Requirement isn’t Implemented yet
Don’t be suprised if you find you haven’t implemented several requirements as you perform your initial assessment. The government understands that your environment may not meet their expectations immediately. This is OK, as long as you have a plan to correct your issues. The POA&Ms View allows you to document your control deficiencies and the steps you intend to take to remediate those deficiencies.
When you mark a control as Not Implemented in the Control View, you’ll be presented with the ‘Create POA&M’ button.
Clicking Create will take you to the POA&Ms Detail view. In the Noncompliance section, you’ll need to provide the details of the deficiency and the milestone actions you plan on taking to bring your environment inline with the requirements of the control. Be specific about your problems and your plan to fix them.
You should update the status of the POA&M as you progress through documenting your POA&Ms by clicking the gear icon in the POA&Ms Status section.
Once you’ve completed your updates, clicking POA&Ms in the Navigation Menu will take you to the POA&Ms View. The POA&Ms Plans section of this view presents you with all existing POA&Ms and their statuses.
If you return to a Not Implemented control through the Assessment View, you will see that the Control Completion section has been updated to reflect the newly created POA&M. A View button is also added to the Control Status section.
Details of each POA&Ms are included in the System Security Plan generated at the end of the assessment.