Skip to content
This repository has been archived by the owner on Jan 24, 2025. It is now read-only.

Milestone Tracking in POA&M

Jump to bottom
Austin Songer, CISSP edited this page Dec 23, 2024 · 2 revisions

Milestone tracking is the process of monitoring and documenting the progress of planned steps (milestones) toward resolving a POA&M (Plan of Action and Milestones) item. It provides clear visibility into remediation efforts and helps ensure compliance requirements, such as FedRAMP, are met within specified timelines.

Key Concepts in Milestone Tracking

  1. Planned Milestones:
    • Definition: Predefined steps or actions that must be taken to resolve a POA&M item.
    • Examples:
      • Apply a patch to a vulnerable system.
      • Conduct a re-assessment to verify remediation.
      • Deploy a compensating control.
  2. Milestone Changes:
    • Definition: Any updates, delays, or completions made to the planned milestones.
    • Examples:
      • Changing a milestone's completion date due to unforeseen circumstances.
      • Documenting reasons for delays or additional tasks.
  3. Historical Tracking:
    • Milestone updates are recorded over time to provide a clear audit trail of progress and changes.
  4. Completion Status:
    • Indicates whether a milestone is pending, in progress, or completed.

How Milestone Tracking Works in the POA&M App

1. Database Model

The POAM database model includes fields to track planned milestones and milestone changes:

class POAM(db.Model):
 id = db.Column(db.Integer, primary_key=True)
 weakness_name = db.Column(db.String(255), nullable=False)
 planned_milestones = db.Column(db.Text, nullable=True)  # Planned steps to resolve the POA&M item
 milestone_changes = db.Column(db.Text, nullable=True)  # Updates or changes to milestones
 status_date = db.Column(db.DateTime, nullable=True)  # Last date when milestones were updated
 completion_date = db.Column(db.DateTime, nullable=True)  # Scheduled or actual completion date

2. UI for Milestone Management

The web interface includes:

  • Planned Milestones: A text area where users can view or edit the initial milestones.
  • Milestone Changes: A log or field where updates, delays, and completions are recorded.
  • Status Date: Automatically updated when milestones are changed.

3. Milestone Update Logic

Add or Update Planned Milestones
def update_planned_milestones(poam_id, new_milestones):
 """
 Update the planned milestones for a POA&M item.
 """
 poam_item = POAM.query.get(poam_id)
 if not poam_item:
     return None

 poam_item.planned_milestones = new_milestones
 poam_item.status_date = datetime.now()  # Update the status date
 db.session.commit()
 return poam_item
Log Milestone Changes
def update_milestone_changes(poam_id, milestone_update):
 """
 Append changes to the milestones for a POA&M item.
 """
 poam_item = POAM.query.get(poam_id)
 if not poam_item:
     return None

 if poam_item.milestone_changes:
     poam_item.milestone_changes += f"\n{datetime.now().strftime('%Y-%m-%d')} - {milestone_update}"
 else:
     poam_item.milestone_changes = f"{datetime.now().strftime('%Y-%m-%d')} - {milestone_update}"

 poam_item.status_date = datetime.now()  # Update the status date
 db.session.commit()
 return poam_item

API Endpoints for Milestone Tracking

Add or Update Planned Milestones

@app.route('/poam/<int:poam_id>/update-planned-milestones', methods=['POST'])
def update_planned_milestones_endpoint(poam_id):
 """
 API endpoint to update planned milestones for a POA&M item.
 """
 data = request.json
 new_milestones = data.get('planned_milestones')

 updated_poam = update_planned_milestones(poam_id, new_milestones)
 if updated_poam:
     return jsonify({"message": "Planned milestones updated successfully", "poam_id": updated_poam.id}), 200
 return jsonify({"message": "POA&M item not found"}), 404

Log Milestone Changes

@app.route('/poam/<int:poam_id>/log-milestone-change', methods=['POST'])
def log_milestone_change(poam_id):
 """
 API endpoint to log changes to milestones for a POA&M item.
 """
 data = request.json
 milestone_update = data.get('milestone_update')

 updated_poam = update_milestone_changes(poam_id, milestone_update)
 if updated_poam:
     return jsonify({"message": "Milestone changes logged successfully", "poam_id": updated_poam.id}), 200
 return jsonify({"message": "POA&M item not found"}), 404

Example Workflow for Milestone Tracking

  1. Planned Milestones:

    • Initial Entry: When a POA&M item is created, planned milestones are added to the planned_milestones field.

    • Example:

      1. Apply security patch to affected systems.
2. Conduct vulnerability scan to confirm remediation.
3. Update documentation and submit for review.

  2. Milestone Updates:

    • As milestones progress, updates are logged in the milestone_changes field.

    • Example Update:

      2024-12-01 - Updated milestone 1: Patch delayed due to testing issues.
2024-12-05 - Milestone 2 completed successfully.

  3. Completion:

    • When all milestones are completed, the status is updated to "Resolved," and the completion_date is recorded.

Example JSON Payloads

Update Planned Milestones

{
    "planned_milestones": "1. Patch server\n2. Re-test vulnerabilities\n3. Submit remediation report"
}

Log Milestone Changes

{
    "milestone_update": "Milestone 2 updated: Re-test scheduled for 2024-12-10."
}

Example in Excel Export

The Planned Milestones and Milestone Changes are exported into the corresponding columns in the FedRAMP template.

POAM ID Planned Milestones Milestone Changes
1001 1. Apply patch to server 2024-12-01 - Updated milestone 1: Patch delayed due to testing.
2. Re-scan to confirm remediation 2024-12-05 - Milestone 2 completed successfully.
1002 1. Update password policy N/A
Clone this wiki locally