POA&M

Plan of Action & Milestones

Tracks identified security weaknesses and the planned remediation activities, responsible parties, and target completion dates for achieving full NIST 800-171 compliance.

Document ID: OCSI-POAM-2026-001 Version: 1.0 Date: April 3, 2026 Owner: Kit E. Floyd, Jr., EVP Operations Prepared By: OCSI Internal (AI-Assisted) — Not externally validated
SELF-ASSESSMENT — NOT C3PAO CERTIFIED

This POA&M reflects an honest internal audit. Open items represent genuine gaps identified through code review. This has not been validated by a C3PAO or external auditor.

13 Open POA&M Items: The following critical, high, and medium weaknesses have been identified and require remediation before CMMC Level 2 assessment readiness. 5 previous items have been partially addressed (client-side only).
Open Remediation Items (13)
IDWeaknessControlsRiskResponsibleTargetStatus
POAM-001 Plaintext password exposed in source code. The admin password 'OCSIAdmin2026!' is visible in client-side JavaScript (line 773). SHA-256 hash is computed at runtime from the plaintext — anyone can View Source to see it. 3.5.2, 3.5.7, 3.5.10, 3.13.8 CRITICAL Kit E. Floyd, Jr. TBD REOPENED
POAM-007 No multi-factor authentication (MFA). Only single-factor (password) authentication exists. NIST 800-171 requires MFA for network access to privileged and non-privileged accounts (3.5.3). 3.5.3 CRITICAL Kit E. Floyd, Jr. TBD Open
POAM-008 All authentication is client-side only. Login, lockout, session management, and audit logging all run in browser JavaScript. Any user can bypass via DevTools (e.g., sessionStorage.setItem('ocsi_admin_auth','true')). No server-side enforcement exists. 3.1.1, 3.5.2, 3.13.4 CRITICAL Kit E. Floyd, Jr. TBD Open
POAM-009 No role-based access control (RBAC). Single hardcoded admin account with full access. No individual user accounts, no role engine, no least-privilege enforcement. 3.1.2, 3.1.4, 3.1.5, 3.1.7 HIGH Kit E. Floyd, Jr. TBD Open
POAM-010 No data encryption at rest. CUI (candidate PII, client data, clearance info) stored as plaintext JSON in browser localStorage. No AES-256 or any encryption layer. 3.1.19, 3.8.9, 3.13.16 HIGH Kit E. Floyd, Jr. TBD Open
POAM-011 No centralized audit logging or SIEM. Audit logs stored in browser localStorage (max 500 entries, no integrity protection, user-deletable). No server-side log forwarding, no SIEM, no tamper-proof retention. 3.3.1, 3.3.2, 3.3.8, 3.3.9 HIGH Kit E. Floyd, Jr. TBD Open
POAM-012 Shared hosting environment (GoDaddy). CUI-handling system runs on shared Apache hosting with no dedicated infrastructure isolation, no FedRAMP authorization, no dedicated firewalls. 3.13.1, 3.13.2, 3.13.5 HIGH Kit E. Floyd, Jr. TBD Open
POAM-013 CSP allows unsafe-inline scripts. Content Security Policy includes 'unsafe-inline' for script-src because all application JS is inline. This undermines XSS protection. 3.13.8, 3.14.2 MEDIUM Kit E. Floyd, Jr. TBD Open
POAM-014 No password complexity enforcement. No minimum length, complexity regex, or character-class requirements. Single hardcoded credential with no ability to change passwords. 3.5.7, 3.5.8, 3.5.9 MEDIUM Kit E. Floyd, Jr. TBD Open
POAM-015 No security awareness training program. No training system, no completion tracking, no insider threat awareness program, no role-based training. 3.2.1, 3.2.2, 3.2.3 MEDIUM Sandra O. Floyd TBD Open
POAM-016 No vulnerability scanning or penetration testing program. No scheduled scans, no pen-test results, no remediation tracking from scan findings. 3.11.2, 3.11.3 MEDIUM Kit E. Floyd, Jr. TBD Open
POAM-017 SHA-256 used for password hashing. SHA-256 is a fast cryptographic hash, not a password hash. Industry standard requires bcrypt, Argon2, or PBKDF2 with sufficient iterations. 3.13.11 MEDIUM Kit E. Floyd, Jr. TBD Open
POAM-018 No incident response testing. IR plan exists on paper but has never been exercised. No tabletop exercises, no simulation tests, no after-action reports. 3.6.3 MEDIUM Kit E. Floyd, Jr. TBD Open
POAM-019 Audit log retention insufficient. Logs capped at 500 entries with oldest dropped. No long-term retention. Stored in user-clearable localStorage. 3.3.4, 3.3.8 MEDIUM Kit E. Floyd, Jr. TBD Open
Closed Remediation Items (Client-Side Only)
Caveat: The items below have functional client-side implementations. However, all run in browser JavaScript and can be bypassed via DevTools. These are considered "partially remediated" — full remediation requires server-side enforcement (see POAM-008).
IDWeaknessControlsRiskRemediationCaveatStatus
POAM-002 No account lockout after failed login attempts 3.1.8 HIGH Implemented 5-attempt lockout with 15-min timer Client-side only (localStorage). Bypassable by clearing browser data. Partial
POAM-003 No session timeout or inactivity lockout 3.1.10, 3.1.11 MEDIUM Added 30-min inactivity + 8-hr absolute timeout Client-side only. Session can be recreated via DevTools. Partial
POAM-004 No audit logging for authentication or CRUD events 3.3.1, 3.3.2 HIGH Implemented comprehensive audit logging (11 event types) Stored in localStorage — user can delete/forge logs. No server-side copy. Partial
POAM-005 Missing Content Security Policy (CSP) headers 3.13.8, 3.14.2 MEDIUM Deployed CSP via meta tag and .htaccess Includes 'unsafe-inline' for script-src (see POAM-013). Partial
POAM-006 Missing security response headers 3.13.1, 3.14.2 MEDIUM Added X-Frame-Options, X-XSS-Protection, HSTS, Referrer-Policy, Permissions-Policy Depends on Apache mod_headers being active on GoDaddy shared hosting. Closed
Review Schedule
  • Monthly: POA&M status review by Security Officer (Kit E. Floyd, Jr.)
  • Quarterly: POA&M review — external cybersecurity partner not yet engaged
  • Annually: Full POA&M audit aligned with SPRS score submission
  • As Needed: New POA&M items created upon identification of any security weakness

© 2026 OUTSOURCE Consulting Services, Inc. — CUI // SP-POAM // NIST 800-171

Self-assessment documentation — not externally validated