U.S. Department of Health and Human Services
A significant deficiency is defined as a weakness in HHS’s overall information system security program, such as a finding from an IT security risk assessment, a vulnerability found during security control assessment activities within the security authorization, or a weakness discovered during an independent review.
The POA&M report tracks the number of weaknesses identified at the start of the quarter, the number for which action was completed, the number in which action has been delayed along with a brief explanation, and the number of new weaknesses and how they were identified. It is important to accurately track the weaknesses reported in the POA&M. When there is a change in status of the weaknesses, that change must be reflected in the next POA&M quarterly update. The POA&M identifies who is responsible for mitigating the weakness as well as milestone dates for completion.
Page 3 of 5
HHS Policy Significant Deficiency