Overview

Plans of Action and Milestones (POA&M) are used in many different regulatory environments to document what is necessary to achieve or improve an organization’s compliance level.

POA&Ms are available in the IT Audit Machine as a type of Form with some advanced automation.

Before the IT Audit Machine can generate POA&M reports, an Administrator must configure the form to generate the appropriate reports from a template.

This guide section will cover the steps needed to configure the POA&M reports in an ITAM instance and examine how an Administrator can interact with a POA&M form.

Associating POA&M form with a Template

First, find and expand the Plan of Action and Milestones (POA&M) form in the Form Manager and click the Edit icon.

This will bring up the Form Builder tool.

On the right-hand side of the Form Builder, select the Form Properties tab in the toolbox. Select the Show More Options link at the bottom of the Form Properties.

Scroll down through the additional options presented until you find the Template Options. Make sure only the Enable Uploading Templates option is selected. Upload the POA&M template you will use to generate the POA&Ms from the system by clicking Upload Files and selecting the template file from your system.

Note: A default template can be requested from Continuum GRC.

Once the template is uploaded, click the Save or Sync and Save button to save the changes.

Adding Logic for Auto-Generating POA&M Reports

Next, in the Form Manager, expand the Plan of Action and Milestones (POA&M) form again and click the Logic icon.

This will bring up the Form Logic interface for the POA&M form. Find the option to enable Rules to generate POAM reports and check the box next to the text. This will bring up the ability to select where the POA&Ms will go. Set entries where the POA&M Current Status field is Open to go into the OPEN tab, and the entries where it is Closed to go into the CLOSED tab.

Once the logic for both the OPEN and the CLOSED tabs is set, it should look similar.

Once both logic sets have been defined, click the Save Settings button to save the changes. ITAM is now ready to generate POA&M forms for your organization.

Working with POA&M forms

Adding POA&M Entries

Warning: POA&M entries added by an Admin will be separate from entries added by users and will create a separate POA&M report

As an Administrator, you may not add entries for the POA&M associated with a particular entity. Instead, entries created by an Administrator will become a separate POA&M.

Navigate to the Form Manager interface and locate the Plan of Action and Milestones (POA&M) form. Expand the form and click on the Edit button.

Input the data for the POA&M entry. Once satisfied with your entry, click the Submit button to save your entry. This will save the entry and generate a POA&M based on the current entries.

Continue entering your POA&M entries until you have completed the entries you desire to join.

Editing POA&M Entries

POA&M Entries are edited like any other Form. As an Administrator, you can edit your entries and the entries created by users. This allows an Administrator to facilitate the updating of an existing POA&M.

The easiest way to edit a POA&M is to use the Entries icon located above the POA&M form. To expand the Plan of Action and Milestones (POA&M) form, select it and click on the View button.

This will display the Admin view of the existing entries for the form.

Click on the entry you wish to edit and click the Edit Entry Data button to pull up the form populated with the data for that entry. Make the desired edits and Submit the form to save the changes.

Viewing POA&M Reports

POA&M Reports are generated every time an entry is submitted. Select the latest report associated with the most recently updated entry. Click on the link to download a zip file containing the report.

The report is also available from the Entry Detail page for any entry.