Are there special considerations for POA&Ms for national security systems or DOD mission critical systems?
Yes. Due to their special sensitivity and the unique way they are addressed in the Security Act, reporting weaknesses in national security systems as well as certain systems under the control of the Department of Defense and Intelligence Community is being addressed differently than for other systems. Although we certainly suggest that agencies document corrective plans of action for their own use, we are not prescribing a particular format. Prior to reporting such corrective action plans to OMB, we request that you consult with us so that we can make appropriate arrangements as to level of detail and sensitivity of what you should report. We have made special arrangements with the Department of Defense and could adapt that procedure for the use of other agencies in reporting on national security systems. What format should an agency use to create a POA&M? Agencies should use the attached spreadsheet-type format for the initial POA&Ms. At a minimum, agency POA&Ms must contain the infor
