Create Plan of Action & Milestones¶
A Plan of Action & Milestones (POA&M) is a required security artifact that tracks known security weaknesses, remediation plans, and progress toward resolution. For systems authorized under FedRAMP, the POA&M provides transparency to Authorizing Officials (AOs), security assessors, and stakeholders by documenting:
- Identified vulnerabilities
- The associated control weaknesses
- Planned remediation actions
- Responsible parties
- Target remediation dates
- Risk status and severity
The POA&M is a living document that must be updated regularly as vulnerabilities are discovered, remediated, or reassessed.
When a POA&M is required¶
You must create or update a POA&M when:
- A security control fails or is partially implemented
- A vulnerability scan identifies a finding
- A penetration test identifies exploitable weaknesses
- A Security Assessment Report (SAR) identifies control deficiencies
- A continuous monitoring activity detects new issues
- A risk acceptance decision requires tracking mitigation activities
Key components of a POA&M document¶
A FedRAMP-compliant POA&M entry typically includes the following fields:
| Field | Description |
|---|---|
| POA&M ID | Unique identifier for the weakness |
| Control ID | Associated NIST SP 800-53 control (e.g., AC-2, SI-2) |
| Weakness Description | Summary of the security issue |
| Source of Finding | Scan, assessment, or test identifying the weakness |
| Severity | Risk rating (High / Moderate / Low) |
| Remediation Plan | Steps planned to correct the issue |
| Milestones | Intermediate remediation steps |
| Responsible Party | Team responsible for remediation |
| Scheduled Completion Date | Planned remediation deadline |
| Status | Open, In Progress, or Closed |
| Comments | Additional context or justification |
How to complete POA&M requirements with the Security Advisory Services and Agency
The Security Advisory Services and Agency will work with you to create and maintain your application's POA&M document. Responsibilities are divided as follows:
-
Security Advisory Services and Agency:
- Identify the security weaknesses in your application
- Map each finding to the applicable security control
- Determine severity and required completion date
-
Your organization:
- Define a remediation plan for each finding
- Assign ownership and accountability for remediation
The POA&M creation process¶
While the Security Advisory Services and Agency team leads the technical mapping of your POA&M, the following steps outline the standard process. Reviewing these steps will help you understand how vulnerabilities are transformed into actionable remediation plans.
Identify the security weakness
Start by documenting the finding clearly and concisely. Include:
- The affected system component
- How the issue was identified
- The potential security impact
Map the finding to a security control
Each POA&M entry must be associated with the relevant NIST SP 800-53 control.
Example mappings:| Finding Type | Likely Control |
|---|---|
| Vulnerable dependency | SI-2 Flaw Remediation |
| Excessive privileges | AC-6 Least Privilege |
| Weak encryption | SC-13 Cryptographic Protection |
| Missing logging | AU-2 Event Logging |
Determine the severity
FedRAMP severity ratings generally align with CVSS scoring or assessor risk ratings.
| Severity | Description |
|---|---|
| High | Immediate remediation required |
| Moderate | Must be remediated within defined timelines |
| Low | Minor issue or informational |
Define a remediation plan
Describe the actions required to eliminate the vulnerability. Include:
- Technical remediation
- Configuration updates
- Dependency upgrades
- Process improvements
- Update vulnerable dependency
- Apply security patches
- Modify IAM policies
- Harden configuration settings
Assign responsibility
Each POA&M item must have a clearly identified owner, such as the DevOps or Application teams.
Establish completion dates
FedRAMP programs often require remediation timelines based on severity. Review the Acceptance Baseline Criteria for the exact timeline.
Example POA&M Entry¶
POA&M Entry
| POA&M ID | Weakness Name | Weakness Description | Control ID | Source of Finding | Affected Assets | Security Impact | Risk Severity | Remediation Plan | Milestones with Completion Dates | Planned Completion Date | Resources Required | Responsible Party | Status | Comments |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| POAM-2026-001 | Vulnerable OpenSSL dependency in application container | A container image scan identified a critical OpenSSL vulnerability (CVE-2025-12345) in the application container image used in the production environment. | SI-2 | Container Image Scan | Production application container image | Exploitation of the vulnerable library could allow compromise of application confidentiality, integrity, or availability. | High | Upgrade OpenSSL to the patched version, rebuild the container image, validate the fix through rescanning, and deploy the updated image through the approved release process. |
1. Validate vulnerability applicability - 2026-03-20 2. Upgrade dependency - 2026-03-25 3. Rebuild image and rescan - 2026-03-28 4. Deploy to staging and production - 2026-04-10 5. Verify closure - 2026-04-15 |
2026-04-15 | Engineering time, CI/CD pipeline support, security validation | Application Engineering Team | In Progress | Patch included in the next approved release cycle. Security team will review scan evidence before closure. |
| POAM-2026-002 | Inactive accounts not disabled within required timeframe | User accounts that have been inactive for more than 35 days remain enabled in the identity management system. | AC-2 | Security Control Assessment | Identity provider and application-integrated user accounts | Stale accounts increase the risk of unauthorized access through dormant or unmanaged credentials. | Moderate | Implement automated inactivity monitoring, disable inactive accounts after the approved threshold, and document periodic account review procedures. |
1. Review inactive account inventory - 2026-04-05 2. Implement automated disablement rule - 2026-04-15 3. Disable existing stale accounts - 2026-04-20 4. Update SOP and evidence collection process - 2026-05-01 |
2026-05-01 | IAM administrator support, identity platform configuration updates | Identity & Access Management Team | Open | Manual reviews are currently performed inconsistently. Automation is required for sustained compliance. |
| POAM-2026-003 | Incomplete logging of administrative actions | Administrative actions performed through the management interface are not consistently captured in centralized audit logs. | AU-2 | Penetration Test | Application admin portal and centralized logging pipeline | Missing audit trails reduce the ability to detect, investigate, and respond to unauthorized or inappropriate administrative activity. | Moderate | Update application logging to record administrative events, forward logs to the centralized monitoring platform, and validate retention and searchability. |
1. Identify missing admin events - 2026-04-10 2. Update logging instrumentation - 2026-04-25 3. Integrate with centralized logging service - 2026-05-05 4. Validate event capture and retention - 2026-05-20 |
2026-05-20 | Developer support, logging pipeline updates, validation testing | Platform Engineering | Open | Existing logs capture authentication events but not all privilege-changing or configuration actions. |
| POAM-2026-004 | Deprecated TLS cipher suites enabled for internal services | Configuration compliance scans identified deprecated TLS cipher suites enabled on internal service-to-service communication endpoints. | SC-13 | Configuration Compliance Scan | Internal API gateways and service endpoints | Weak cryptographic settings could allow downgrade attacks or weaken protection of data in transit. | High | Update TLS configuration baselines, disable deprecated cipher suites, redeploy affected services, and validate using configuration and network testing. |
1. Inventory affected services - 2026-03-18 2. Update TLS baseline configuration - 2026-03-24 3. Redeploy services - 2026-04-02 4. Validate secure cipher enforcement - 2026-04-10 |
2026-04-10 | DevOps support, configuration management updates, validation testing | DevOps Team | In Progress | Staging remediation is complete. Production rollout is pending completion of change control review. |
| POAM-2026-005 | Privileged containers allowed by default in cluster policy | Kubernetes cluster configuration permits privileged containers to run without requiring documented exception approval. | CM-6 | Configuration Review | Kubernetes admission policy and workload configuration | Privileged containers may enable container breakout or unauthorized host-level access. | High | Implement admission controls to block privileged containers by default, establish an exception workflow, and retest workloads for compatibility. |
1. Draft admission control policy - 2026-03-30 2. Test policy in non-production cluster - 2026-04-08 3. Deploy policy to production - 2026-04-18 4. Publish exception procedure - 2026-04-25 |
2026-04-25 | Platform security engineering, cluster admin support, workload testing | Platform Security Team | Open | A temporary review process exists, but enforcement is not yet technical or automated. |
| POAM-2026-006 | Password policy does not meet required complexity settings | The identity provider configuration does not fully enforce password complexity and minimum length requirements expected for the environment. | IA-5 | Security Assessment Report | Enterprise identity provider | Weak password requirements increase the likelihood of credential compromise and unauthorized access. | Moderate | Update password policy settings in the identity provider, validate enforcement, and document the updated authenticator management configuration. |
1. Review current password settings - 2026-04-12 2. Update identity provider policy - 2026-04-25 3. Test policy enforcement - 2026-05-02 4. Update supporting documentation - 2026-05-10 |
2026-05-10 | IAM administrator support, user communications, validation testing | Identity Management Team | Open | MFA is enabled, but password policy configuration still requires adjustment to meet baseline expectations. |
| POAM-2026-007 | Vulnerability scanning not consistently performed across environments | Monthly vulnerability scans are not being executed consistently across staging and production environments, and tracking evidence is incomplete. | RA-5 | Continuous Monitoring Review | Production and staging environments | Inconsistent scanning may delay identification of exploitable vulnerabilities and weaken continuous monitoring effectiveness. | Moderate | Automate recurring vulnerability scans for all in-scope environments, centralize scan results, and track completion evidence in the security workflow. |
1. Confirm environment inventory - 2026-04-15 2. Configure automated scan schedules - 2026-04-30 3. Integrate results with tracking system - 2026-05-15 4. Validate monthly reporting process - 2026-05-30 |
2026-05-30 | Security operations support, scanner licensing, reporting workflow updates | Security Operations | Open | Current scanning is partially manual and depends on individual team follow-through. |
Best practices¶
To ensure your POA&M remains effective:
- Keep entries concise and actionable. Focus on clear, specific remediation steps rather than vague descriptions.
- Prioritize by risk. Address High severity findings first.
- Track progress consistently. Update status regularly to reflect current remediation state.
- Align with scan results. Ensure POA&M items stay in sync with the latest vulnerability scan outputs.
Additional resources
For more information on POA&M requirements, review: