A Plan of Action and Milestones (POA&M) is
|“||[a] document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.||”|
Remedial action plans, also known as plans of action and milestones (POA&M), help agencies identify and assess security weaknesses in information systems, set priorities, and monitor progress in correcting the weaknesses. POA&M is a document that
|“||describes the measures that have been implemented or planned: (i) to correct any deficiencies noted during the assessment of the security controls; and (ii) to reduce or eliminate known vulnerabilities in the information system. The plan of actions and milestones document identifies: (i) the tasks needing to be accomplished; (ii) the resources required to accomplish the elements of the plan; (iii) any milestones in meeting the tasks; and (iv) scheduled completion dates for the milestones.||”|
A plan of action and milestone (POA&M)
|“||also referred to as a corrective action plan, is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones. The purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.||”|
NIST guidance states that each federal civilian agency must report all incidents and internally document remedial actions and their impact.
|“||Agency POA&Ms must reflect known security weaknesses within an agency including its components or bureaus and shall be used by the agency, major components and program officials, and the IG as the authoritative agency management mechanism to prioritize, track, and manage all agency efforts to close security performance gaps."||”|
POA&Ms should be updated to show progress made on current outstanding items and to incorporate the results of the continuous monitoring process. In addition, FISMA requires the agency CIO to report annually to the agency head on the effectiveness of the agency information security program, including progress on remedial actions.