Definition
A Plan of Action and Milestones (POA&M) is a document that identifies tasks needed to remediate security control deficiencies, resources required, milestones for completion, and scheduled completion dates. Required for both federal systems under FISMA and contractor systems under NIST 800-171, POA&Ms track the status of security weaknesses from identification through remediation. Each POA&M entry includes the weakness description, point of contact, resources required, scheduled completion date, milestones, status, and source of discovery. POA&Ms demonstrate that organizations are actively managing security risks even when full compliance is not immediately achievable. For SPRS scoring under DFARS, unimplemented NIST 800-171 controls documented in a POA&M still result in point deductions from the assessment score.
Also Known As
- POA&M
- POAM
- Remediation Plan
- Corrective Action Plan
Examples
Common Mistakes to Avoid
- ✕Creating POA&M entries without realistic completion dates
- ✕Not tracking POA&M status regularly
- ✕Using POA&M as indefinite waiver rather than active remediation plan
Who Should Know This Term
Security officers, system owners, ISSO, compliance managers, auditors
Official Source
OMB Circular A-130