The following diagram illustrates the overall RSA Archer POA&M Management process.
Task 1: Document the Risk
When risks are discovered within your organization, you must first determine whether the risk can be remediated. Findings that can be remediated are documented in a Plan of Action & Milestones (POA&M) record. Findings that cannot be remediated can be accepted through a Risk Acceptance Request, also known as a Risk-Based Decision (RBD).
- To document POA&Ms, see Creating POA&Ms.
- To document milestones, see Creating Milestones.
- To create a risk acceptance request, see Creating Risk Acceptance Requests (RBD).
Task 2: Complete reviews
Findings that are handled using a POA&M go through two levels of approval. The POA&M draft is first reviewed by the submitter's supervisor, who has the option of approving or rejecting the record. If the POA&M is rejected, the submitter must make the necessary updates and resubmit for review. Once the POA&M is approved, all associated milestones and tasks must be completed before the POA&M can be submitted for the final review. The final review is completed by the Authorizing Official, who has the option of approving or rejecting to submitter.
To submit a POA&M for review, see the following:
To review a POA&M, see the following:
Findings that cannot be remediated must be documented as a risk acceptance request and then submitted to the Authorizing Official for review. The Authorizing Official has the option of approving, denying, or rejecting the request.
To submit a risk acceptance request, see Submit Risk Acceptance Request for Review.
To review a risk acceptance request, see Review the Risk Acceptance Request.
RSA Archer 6.5