My FutureFeed includes a column labeled "Relative Compliance Gain." This column is meant to be used to differentiate those items that are likely to have the most impact on compliance from the others.
Higher score = Greater compliance gain
For many, just looking for the POA&Ms with the highest score is enough. For those that would like an explanation of how we determine the score, it works in the following manner:
- Each control is valued at 1, 3, or 5 points. For CMMC/800-171, the valuation comes from the SPRS scoring system.
- If there are multiple objectives for a control, then the points for the control are divided amongst them. For example, on a 1-point control with two objectives, each is worth half a point.
- POA&M generated from Outcomes follows a similar system. If a control is worth 1 point and there are two Outcomes statements supporting the control, each is worth a half a point.
- POA&Ms that are inventory items are valued at 1 point for each control to which they are tagged. For example, a policy tagged with 5 controls is worth 5 points.
- POA&Ms sourced from vulnerabilities, ideas, and end-of-life feeds are not scored as they do not have a direct impact on compliance (although compliance requires that they be addressed as part of maintaining a compliant cybersecurity program).
The Max gain is the highest gain of any POA&M at any given point in time.
FutureFeed generally follows the principles in the COSO risk framework. Since the above scoring system would generate scores that appear to have an accuracy of tenths or hundredths of a point, the final score is multiplied by 100. Using whole numbers helps reduce the perception that the relative rankings are more precise than they are.
In the end, FutureFeed hopes that the relative compliance gain will help users first focus their efforts where there is likely to be the largest gain.