Document Revision History
DATE |
VERSION |
PAGE(S) |
DESCRIPTION |
AUTHOR |
02/18/2015 |
1.0 |
All |
Publish Date |
FedRAMP |
09/01/2015 |
1.1 |
All |
Clarifications and format updates |
FedRAMP |
10/21/2016 |
1.2 |
4-5 |
Instructions for the new Integrated Inventory Template Section 2.3; Operational Requirements – False Positive Updates to Table 2 – POA&M Items Column Information Description and Section 2.3 |
FedRAMP |
6/6/2017 |
1.2 |
Title |
Updated Logo |
FedRAMP |
1/31/2018 |
2.0 |
All |
General changes to grammar and use of terminology to add clarity, as well as consistency with other FedRAMP documents. |
FedRAMP |
1/31/2018 |
2.0 |
3 |
Corrected conflicting information in Sections 2 and 2.3 of the POA&M Template Completion Guide regarding the FedRAMP Integrated Inventory Workbook Template. |
FedRAMP |
1/31/2018 |
2.0 |
6 |
Added text instructing CSPs to deliver the inventory workbook template as part of their monthly ConMon package, along with or included in their POA&M, in the same location as their POA&M. |
FedRAMP |
1/31/2018 |
2.0 |
7 |
Updated guidance that findings from automated tools only need to be added to the POA&M once they are late. |
FedRAMP |
1/31/2018 |
2.0 |
7 |
Automated tool findings identified as Low will be considered late after 180 calendar days. |
FedRAMP |
2/21/2018 |
2.1 |
3 |
Revised guidance in the description for Column A – POA&M ID |
FedRAMP |
2/21/2018 |
2.1 |
5 |
Added a description for Column AA – Auto-Approve |
FedRAMP |
2/21/2018 |
2.1 |
6, 8 |
Updated links to resources resulting from new FedRAMP web site migration. |
FedRAMP |
4/3/2018 |
2.1 |
7 |
Updated footnote. |
FedRAMP |
11/23/2021 |
2.2 |
6 |
Updated POA&M Items Column Information Description (added Column AB header and instructions) |
FedRAMP |
7/n/2024 |
3.0 |
All |
Based on Revision 5 Update Removed JAB References PMO changed to FedRAMP |
FedRAMP |
ABOUT THIS DOCUMENT
This document provides guidance on completing the Federal Risk and Authorization Management Program (FedRAMP) Plan of Action and Milestones (POA&M) Template in support of achieving and maintaining a security authorization that meets FedRAMP requirements.
This document is not a FedRAMP template – there is nothing to fill out in this document.
This document uses the term authorizing official (AO). As defined in the FedRAMP® CSP Authorization Playbook, a federal agency’s AO is a senior federal official who is ultimately responsible for making a risk-based decision to grant a CSP’s offering an ATO. The decision is formalized in an ATO letter provided to the CSP system owner and FedRAMP. AOs have sufficient visibility across their organization to understand the impact and cost of an individual CSO on the security environment and operations of the agency.
The term FedRAMP authorization is not an endorsement of a commercial product. However, by certifying that a cloud product or service has completed a FedRAMP authorization process, FedRAMP establishes that the security posture of the product or service has been reviewed and is presumptively adequate for use by Federal agencies[1]..
The term third-party assessment organization (3PAO) refers to a FedRAMP-recognized organization which is accredited in ISO/IEC 17020 with the FedRAMP overlay.. Use of a recognized 3PAO is highly suggested when the CSP has a FedRAMP assessment performed. A FedRAMP-recognized 3PAO meets the necessary quality, independence, and FedRAMP knowledge requirements to perform required independent security assessments. A federal agency may choose to use their Independent Verification and Validation (IV&V) organization to assess a CSO. However, the decision must be in writing and made known to all stakeholders, by the Agency AO. The independent IV&V organization is required to use FedRAMP guidance and templates in performing the security assessment.
WHO SHOULD USE THIS DOCUMENT?
This document is intended to be used by Cloud Service Providers (CSPs), 3PAOs, government contractors working on FedRAMP projects, and government employees working on FedRAMP projects.
How to contact us
Questions about FedRAMP or this document should be directed to info@fedramp.gov.
For more information about FedRAMP, visit the website at http://www.fedramp.gov.
Document Revision History............................................................... i
ABOUT THIS DOCUMENT........................................................................ ii
WHO SHOULD USE THIS DOCUMENT?..................................................... ii
How to contact us............................................................................. ii
1. Introduction.............................................................................. 1
1.1. POA&M Purpose................................................................. 1
1.2. Scope................................................................................. 2
2. POA&M template......................................................................... 2
2.1. Worksheet 1: Open POA&M Items...................................... 2
2.2. Worksheet 2: Closed POA&M Items.................................... 6
2.3. Integrated Inventory Workbook.......................................... 6
3. General Requirements............................................................... 7
Appendix A: fedramp ACRONYMS.................................................... 8
Table 1. POA&M Items Header Information Description
Table 2. POA&M Items Column Information Description
1. Introduction
This document provides guidance for completing and maintaining a FedRAMP-compliant POA&M using the FedRAMP Plan of Action and Milestones (POA&M)Template. The POA&M is a key document in the security authorization package and monthly continuous monitoring activities. It identifies the system’s known weaknesses and security deficiencies and describes the specific activities the CSP will take to correct them.
A CSP who chooses the FedRAMP Authorization path, must establish and maintain a POA&M for their system in accordance with this POA&M Template Completion Guide using the FedRAMP POA&M Template. The FedRAMP POA&M Template is available separately at: http://www.fedramp.gov/.
The FedRAMP POA&M Template provides the required information presentation format for preparing and maintaining a POA&M for the system. The CSP is not permitted to alter or delete existing POA&M Template columns or headers. The POA&M Template has defined all columns in each of the three POA&M Template Workbook tabs through Column AE which is labeled “Service Name”. The CSP must not change any of the column labels. The CSP may add columns and labels beginning in Column AF, if necessary.
1.1. POA&M Purpose
The purpose of the POA&M is to facilitate a disciplined and structured approach to tracking risk-mitigation activities in accordance with the CSP’s priorities. The POA&M includes security findings for the system from periodic security assessments and ongoing continuous monitoring activities. The POA&M includes the CSP’s intended corrective actions and current disposition for those findings.
FedRAMP uses the POA&M to monitor the CSP’s progress in correcting these findings.
The POA&M includes the:
§ Security categorization of the cloud information system;
§ Specific weaknesses or deficiencies in deployed security controls;
§ Importance of the identified security control weaknesses or deficiencies;
§ Scope of the weakness in components within the environment; and
§ Proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security control implementations (e.g., prioritization of risk mitigation actions and allocation of risk mitigation resources).
The POA&M identifies: (i) the tasks the CSP plans to accomplish, including a recommendation for completion either before or after information system implementation; (ii) any milestones the CSP has set in place for meeting the tasks; and (iii) the scheduled completion dates the CSP has set for each milestone.
1.2. Scope
The scope of the POA&M is to adequately portray to the Authorizing Official (AO) the residual risk of operating the CSO. This includes all CSO security control implementations that have unacceptable weaknesses or deficiencies. These should align with the “Other Than Satisfied” controls identified in the Security Test Case Procedures Template. Security controls identified as “Other Than Satisfied” should be individually identified in the 3PAO’s Risk Exposure Table and then accordingly in the CSP’s POA&M.
The POA&M includes all scan findings as each unique vulnerability is tracked as an individual POA&M item. Individual vulnerabilities must be based on the scanning tool’s unique vulnerability reference identifier (ID). The CSP may break a unique vulnerability into multiple POA&M items, such as for a vulnerability that applies to different asset types that will be remediated in different ways. The CSP must not group multiple unique vulnerabilities into a single POA&M item.
The POA&M includes all manual testing findings including all red team testing deficiencies and all penetration testing deficiencies.
The CSP is required to submit an updated POA&M to the AO in accordance with the FedRAMP
2. POA&M template
The FedRAMP POA&M Template is an Excel Workbook containing three worksheets:
· Open POA&M Items, which contains the unresolved entries
· Closed POA&M Items, which contains resolved entries
· Configuration Findings, which contains compliance check (CM-6) findings
2.1. Worksheet 1: Open POA&M Items
The Open POA&M Items worksheet has two sections. The top section of the worksheet contains basic information about the system, which is described in Table 1. POA&M Items Header Information Description, below. The bottom section is a list that enumerates each open POA&M entry, which is described in Table 2. POA&M Items Column Information Description, below.
Table 1. POA&M Items Header Information Description
FedRAMP System Categorization |
Identity Assurance Level (IAL) |
CSP |
The Vendor Name as supplied in the documents provided to the AO. |
System Name |
The Information System Name as supplied in the documents provided to the AO. |
Impact Level |
Cloud Service Offerings (CSOs) are categorized as Low, Moderate, or High based on a completed FIPS 199/800-60 evaluation. FedRAMP supports CSOs with High, Moderate, and Low security impact levels. |
POA&M Date |
The date the POA&M was last updated. For an initial authorization, this is the date to which the CSP committed in their continuous monitoring plan. |
The bottom section of the Open POA&M Items worksheet includes the CSP’s corrective action plan used to track IT security weaknesses. This section of the POA&M worksheet has similarities to the National Institute of Standards and Technology’s (NIST) format requirements; however, it contains additional data and formatting as required by FedRAMP.
Table 2. POA&M Columns - Information Descriptions Per Column[L2]
Column |
Details |
Column A – POA&M ID |
CSPs are required to define a schema for the POA&M ID Unique Identifiers. Independent Assessors (IAs), aka third-party assessment organizations (3PAOs) must use the CSP-established schema to assign a unique identifier (ID) to each RET item. This will result in consistency and traceability between the RET and POA&M. To avoid duplication of existing POA&M IDs, if there is an existing identifier in the latest POA&M for the same vulnerability, the same identifier will be used in the RET.RET numbers typically begin at 0001; however, when using a CSP's established schema, the POA&M numbers begin from the last one used by the CSP (e.g., if the last POA&M number used was CSP-00450, then the first one annotated on the RET would be CSP-00451). |
Column B – Controls |
Specify the 800-53 security control affected by the weakness identified during the security assessment process. |
Column C – Weakness Name |
A short descriptor unique to each vulnerability (e.g., "Red Hat Update for glibc security (RHSA-2021:4358)" or "Elevated User Privileges"). The name of the weakness should be provided by the scanner or briefly summarize the weakness. |
Column D – Weakness Description |
The description of the weakness and other information. All security weaknesses must be described so that they can be recognized by the CSP, Information System Security Officer (ISSO), or Authorizing Official (AO). If a test was performed using a tool or scanner, a description of the reported scan results for that vulnerability must be included. |
Column E – Weakness Detector Source |
The scanner name or other source that detected the vulnerability; it refers to the method that was used to discover the vulnerability (i.e., Web Application Scanner, manual testing, security requirements traceability matrix (SRTM), interview, or document review). |
Column F – Weakness Source Identifier |
The vulnerability identifier outputted by the scanner (plugin ID/None). |
Column G – Asset Identifier |
Identifier Specified in the Inventory. This is a unique string associated with the asset; it could just be IP, or any arbitrary naming scheme. This field should include the complete identifier (no shorthand), along with the port and protocol when provided by the scanner. Each Asset should be separated by a new line (Alt+Enter). |
Column H – Point of Contact |
Identify the person/role that the AO holds responsible for implementing the task and resolving the weakness. The CSP must identify and document a Point of Contact (POC) for each reported weakness. |
Column I – Resources Required |
Specify resources needed beyond current resources to mitigate task and when applicable, provide an estimated staff time in hours. |
Column J – Overall Remediation Plan |
General overview of the remediation plan. In cases where it is necessary to provide sensitive information to describe the remediation plan, italicize the sensitive information to identify it and include a note in the description stating that it is sensitive. |
Column K – Original Detection Date |
AKA Discovery Date. Provide the month, day, and year when the weakness was first detected. This must be consistent with the Security Assessment Report (SAR) and/or any continuous monitoring activities. The CSP may not change the Original Detection Date. |
Column L – Scheduled Completion Date |
The CSP must assign a completion date to every weakness that includes the month, day, and year. The Scheduled Completion Date column must not change once it is recorded. (See Section 2.2 for guidance on closing a POA&M item.) |
Column M – Planned Milestones |
Permanent Column once populated. List of proposed Milestones, separated with a blank line (Alt+Enter). Any alterations should be made in "Milestone Changes". Milestone Number should be unique to each milestone. Each weakness must have a milestone entered with it that identifies specific actions to correct the weakness with an associated completion date. |
Column N – Milestone Changes |
List any changes to existing milestones in Column M, Planned Milestones, in this column. Any alterations, status updates, or additions to the milestones. (Milestone Number) [Type of update] [milestone date] : How and why the date changed, or the milestone was altered. Create a new Milestone Number for new Milestones. |
Column O – Status Date |
This column must provide the date the POA&M item was last changed, updated, or closed. |
Column P – Vendor Dependency |
This column indicates the remediation of the weakness required by the action of a third-party vendor (e.g., through the issuing of a patch that is not yet released). The CSP is required to check the status of the vendor’s remedy at least every 30 days. As long as the fix is still pending from the vendor, and the CSP has checked-in within 30 days of POA&M submission, FedRAMP will not count the entry as late. Once the vendor makes the fix available, the CSP has 30 days to remediate high vulnerabilities, 90 days to remediate moderate vulnerabilities, and 180 days to remediate low vulnerabilities from the date the vendor makes the fix available. The CSP must provide the vendor’s release date in Column Z (comments). In this case, the CSP may overwrite the auto-calculated scheduled completion date found in column L. |
Column Q – Last Vendor Check-in Date |
This column is used to record the date the CSP most recently checked-in with a third-party vendor regarding the availability of an un-released remedy for a known product vulnerability. If Column P – Vendor Dependency is “Yes,” the CSP must check-in with the third-party vendor at least every 30 days and record the most recent date of check-in here. If Column P – Vendor Dependency is “No,” the CSP should leave this column blank. Do NOT use “none”, “N/A”, “na” etc. |
Column R – Vendor Dependent Product Name |
If Column P – Vendor Dependency is “Yes,” the CSP must provide the name of the product that the third-party vendor has responsibility. If Column P – Vendor Dependency is “No,” the CSP should leave this column blank. Do NOT use “none”, “N/A”, “na” etc. |
Column S – Original Risk Rating |
Provide the original risk rating of the weakness at the time it was identified by the scanner, as part of an assessment, and/or continuous monitoring activities. |
Column T – Adjusted Risk Rating |
Provide the adjusted risk rating validated by the 3PAO and approved by the AO. If no risk adjustment is made, leave this cell blank. In the case that the scanner changes its risk rating from a lower to a higher risk rating, the CSP may update this column and set column U to “Yes.” |
Column U – Risk Adjustment |
State the reason for a risk adjustment request. If the CSP believes a risk adjustment is appropriate, the CSP must set this column to “Pending”, including mitigating factors. During Collaborative Continuous Monitoring, if the AO approves the deviation request, the CSP should change this cell to “Yes.” If the AO denies the risk adjustment, or if the CSP does not intend to request a risk adjustment, the CSP should set this entry to “No.” The CSP must set this column to “pending” if submitting a risk adjustment. The adjustment is finalized (setting the Risk Adjustment to “yes”) if it is approved by the AO. Only AO-approved risk adjustments may alter the scheduled completion date. |
Column V – False Positive |
State the status of the deviation request for a false positive (FP). A FP occurs when a vulnerability is identified that does not actually exist on the system. This is known to happen from time-to-time with scanning tools. If the CSP believes a finding is an FP, they must set this column to “Pending” and during Collaborative Continuous Monitoring, introduce this finding, including evidence of the FP. If the AO approves the FP, the CSP must change this to “Yes.” If the AO denies the deviation request, or if the CSP does not believe the finding is a FP, the CSP must set this entry to “No.” AO-approved false positives can also be closed. See Section 2.2 for guidance on closing a POA&M item. |
Column W – Operational Requirement |
State the status of the deviation request for an operational requirement (OR). An OR means that there is a weakness in the system that will remain an open vulnerability (NOTE: Operational Requirement (OR) == Open Risk (OR)) that cannot be corrected without impacting the full operation of the system. An OR is also an open vulnerability that could be exploited, regardless of the limited opportunity for exploitation, such as a component that is installed but not enabled. A CSP determination of an operational requirement will cause this column to be set to “pending.” The deviation is finalized, setting the status to “yes”, if it is approved by the AO. Approved operational requirements must remain on the Open POA&M Items worksheet and must be periodically reassessed by the 3PAO. |
Column X – Deviation Rationale |
Provide a rationale for any deviation request submitted to the AO. For operational requirements and risk adjustments, include mitigating factors and compensating controls that address the specific risk to the system. For false positives, include information about evidence/artifacts that support the result. |
Column Y – Supporting Documents |
List any additional documents that are associated with the POA&M item (e.g. Deviation Request, Evidence of Remediation, Evidence of Vendor Dependency, etc). |
Column Z – Comments |
Provide any additional comments that have not been provided in any of the other columns. |
Column AA – |
Whether the deviation request was auto-approved or manually approved. |
Column AB – Binding Operational Directive (BOD) 22-01 tracking Reducing the Significant Risk of Known Exploited Vulnerabilities |
Indicates if the vulnerability listed in this POA&M item is listed among the CISA known exploited vulnerability catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). Please be aware that some of the due dates listed in this catalog are shorter timeframes than FedRAMP guidance prescribes for high vulnerabilities. You will be expected to follow CISA guidance and timeframes for closure of these items. |
Column AC - Binding Operational Directive 22-01 Due Date |
Due date for remediating 22-01 vulnerabilities. If this vulnerability is listed among the CISA Known Exploited Vulnerability Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) include the due date given by CISA for this vulnerability. |
Column AD – CVE associated with the BOD Vulnerability |
List the CVE or CVEs here. |
Column AE – Service Name |
If CSO does not offer services/offerings then leave this cell blank. Else, this cell should capture the service/offering (or services/offerings) that are affected by this vulnerability. This should be the unique name (no shorthand) of the service/offering as the purchaser would see it listed on the FedRAMP Marketplace (authoritative source). Each service/offering is separated by a new line (Alt+Enter). If the vulnerability affects the entire boundary, it is marked as “All”. If the vulnerability only affects internal aspects of the boundary and no services, it is marked “Internal” (All leveraging entities should factor in all “Internal” findings into their risk posture.) The ‘Service Name’ column helps Agencies to understand which vulnerabilities apply to the CSO services, sub services and features that each Agency may be leveraging. This allows the POA&M user to filter the template to the items affecting their agency by the services or offerings purchased from the cloud service provider (CSP). |
2.2. Worksheet 2: Closed POA&M Items
The top of the Closed POA&M Items worksheet contains the system information as the top of the Open POA&M Items worksheet. The remainder of the worksheet contains the POA&M items that are completed. The details should reflect almost all of the information provided in the Open POA&M Items worksheet; however, the CSP must update Column O – Status Date, with the date of completion.
To “close” a POA&M item, update the date in Column O – Status Date, and move the POA&M item to Worksheet 2, Closed POA&M Items. Note that when an item is moved to the Closed POA&M Items tab, it must be very clear to the AO and any other person interested in the POA&M status, why the POA&M item is now “closed”.
A POA&M item can be moved to the Closed POA&M Items worksheet when either of the following occurs:
§ All corrective actions have been applied and evidence of mitigation is collected by the CSP available for inspection. Evidence of mitigation must then be verified by a 3PAO during initial and periodic assessments and may be requested by the AO at any time.
§ A false positive deviation request was approved by the AO. Note that until the false positive has been approved by the AO and/or validated by the 3PAO, the false positive remains on the Open POA&M items tab as an Open risk. It is at the discretion of the Agency AO when they consider it acceptable to move a false positive to the Closed tab.
2.3. WORKSHEET 3: CONFIGURATION FINDINGS
FedRAMP added a Compliance Scanning (CM-6) updates, also known as a “Configuration Findings” tab to ensure that all configuration deficiencies (CM-6 findings) are recorded and reported in a standard manner. This also ensures that all 3PAOs can easily recognize these configuration deficiencies to validate them. Open CM-6 findings “count” toward CSP Open POA&M findings. This means that all stakeholders must recognize a higher number of POA&M items. That is to be expected.
Cloud Service Providers (CSPs) and Third-Party Assessment Organizations (3PAOs) typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings, e.g., compliance scans as part of the security controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding Security Assessment Report (SAR) Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M) in the Configuration Findings tab. This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.
During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed by 3PAOs during initial assessments, annual assessments, and significant change requests. During the 3PAO assessments, the 3PAO is required to define each configuration deficiency, separately in the RET Workbook, and the CSP must record each CM-6 finding in the POA&M “Configuration Findings” tab.
NIST SP 800-53 Revision 5, CM-6 Configuration Settings, requires that all systems establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements. This must be accomplished using DoD Security Technical Implementation Guides (STIGs), or CIS Level 2 secure configurations for Moderate and High baseline systems.
1. STIGS are the first choice.
2. If and only if, the product does not have a STIG associated with it, then CIS Level 2.
3. If the product does not have the STIG or CIS Level 2, then the CSP must customize the baseline.
DoD STIGS or CIS benchmarks must be implemented for Low and LI-SaaS baseline systems. Low and LI-SaaS systems must also document and assess the CM-6 control to ensure FedRAMP compliance. The requirement is to specifically include details of least functionality.
The CSP must also ensure that the checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).
Therefore, the CSP must implement the configuration settings and identify, document, and approve any deviations from established configuration settings for all system components based on organization-defined operational requirements. The items are to be recorded in the CSO POA&M. The CSO POA&M is used to monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
2.4. Integrated Inventory Workbook
The CSP must continuously maintain an inventory workbook using the FedRAMP Integrated Inventory Workbook (IIW) Template, available separately on the FedRAMP website, the Documents &Templates page. In accordance with the FedRAMP CSP_Continuous_Monitoring_Performance_Management_Guide.pdf, the CSP must submit their up-to-date IIW each month with their updated POA&M and other continuous monitoring deliverables. The IIW,POA&M, and raw scan results must be submitted together and placed in the same Repository location each month. Please see the Integrated Inventory Workbook Template for instructions on completing and updating the inventory of system assets.
3. General Requirements
The CSP must include the following in the Open POA&M Items worksheet:
§ All security vulnerabilities identified through vulnerability scanning tools, where the CSP is late remediating the vulnerability[2] ;
§ All known security vulnerabilities and deficiencies identified through means other than vulnerability scanning tools (e.g., interviews, red team testing, other forms of manual testing and observations, and penetration testing); and
A security vulnerability remediation is late if it is not remediated within the time requirements detailed in the FedRAMP CSP_Continuous_Monitoring_Performance_Management_Guide.pdf, and summarized in the bullets below.
The CSP must comply with the following:
§ Use the FedRAMP POA&M Template to track and manage all POA&M items.
§ If a finding is identified in the SAR, or because of continuous monitoring activities, it must be included as an item on the POA&M.
§ All POA&M entries must map back to a finding in the SAR and/or continuous monitoring activities.
§ False positives identified in the SAR Risks Corrected During Testing (RCDT) tab of the Risk Exposure Template (RET) Workbook, along with supporting evidence (e.g., clean scan report) do not have to be included in the POA&M.[L5]
§ Each finding in the POA&M must have a unique identifier. This unique identifier must pair with a respective SAR finding and continuous monitoring activities.
§ All high and critical risk findings must be remediated prior to receiving a FedRAMP Authorization.
§ High and critical risk findings identified through continuous monitoring activities must be remediated within 30 days of the Original Detection Date.
§ Moderate findings must be remediated within 90 days of the Original Detection Date.
§ Low findings must be remediated within 180 days of the Original Detection Date.
Note: The POA&M Spreadsheet has problems with data validation in the Mac version of Microsoft Office. Disabling macros typically resolves this issue.[L6]
Comments
0 comments
Please sign in to leave a comment.