BLOG
November 11, 2025
decorative
Travis Good

What Is a POA&M? Understanding the Plan of Action and Milestones

Learn what a POAM (Plan of Action & Milestones) is, why it's critical for CMMC, NIST, & FedRAMP, and what to include in your remediation spreadsheet.

POAM is short for Plan of Action and Milestones. It’s a formal document used to track and remediate known security weaknesses within an organization. It’s a structured to-do list that details your specific, non-compliant security items, the plan to fix them, who is responsible, and, critically, when they will be completed

For 99% of companies, your POAM is a detailed spreadsheet (like an Excel or Google Sheet file).

In more mature organizations, that spreadsheet data is tracked in a GRC (Governance, Risk, and Compliance) platform. But the format and the required fields are the same. It’s a formal, tracked roadmap with set deadlines, not just a checklist of nice-to-haves.

Why POA&Ms Are Important

POA&Ms are an essential part of the compliance process. Very few organizations are perfect when they first go through an audit and the POA&M provides a structured way to remediate any issues and fix security controls that need to be implemented.

A POA&M a living document outlining a specific plan that your organization must follow, it details all security deficiencies and what needs to be done in order to comply with regulatory requirements under the Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171, plus when each step will be completed by.

The end goal of a POA&M is full compliance with the requirements of the framework (e.g. CMMC or NIST SP 800-171).

The POA&M enables your business to achieve conditional certification and continue to operate under existing contracts, while giving you time (usually 180 days) to fix any low-risk issues — You can't have a POA&M that includes critical issues for high-risk controls.

A POAM is a binding commitment. You have formally, and often contractually, told an auditor and your customers that you will fix a specific thing by a specific date.

When Are POA&Ms Created?

A POA&M is created whenever a weakness is identified in your security posture. Usually, this will happen during a third-party assessment, for example, with CMMC, it’ll be during your C3PAO audit. However, issues can also be identified internally during testing or gap analysis.

Once any deficiencies are identified, they need to be detailed and documented in a POA&M so that you can maintain compliance.

POA&M and CMMC

If you’re working towards CMMC certification, conditional status may be granted even if your requirements are not fully met. But, as we mentioned above, only if the controls listed in the POA&M are low risk. You can’t just lean on the POA&M to get around implementation.

  • At Level 1: There’s no allowance for POA&M and all Level 1 controls must be in place and working to achieve certification.
  • At Level 2: You can only use a POA&M if your assessment score is above 88 and the control has a point value of 1 or less. There are also some POA&M-prohibited controls that must be implemented.
  • At Level 3: Again, you must have an assessment score above 88 and the control cannot be in the Level 3 POA&M-prohibited controls list.

For Level 2 and 3, all POA&M issues must be closed within 180 days of the original assessment and closure must be verified by a closeout assessment.

NIST, FISMA, and FedRAMP

The POAM originated with the U.S. federal government. The Federal Information Security Management Act (FISMA) requires federal agencies to use them. As a result, POAMs are also a part of the NIST Risk Management Framework (RMF) and the FedRAMP authorization process for cloud providers.

SOC 2 and ISO 27001

While these frameworks don't typically use the name "POAM," the concept is identical.

  • In a SOC 2 report, this is documented in "Management's Response" to "Exceptions" or "Findings."
  • In ISO 27001, this is tracked in a "Corrective Action Plan."

The name is different, but the function, the fields, and the penalty for ignoring it are exactly the same.

What Must Be Included in a POAM?

Your POAM spreadsheet is made of several elements. Here are the POA&M items typically included:

Unique Identifier

This is your primary key. It’s a unique ID that you or your auditor assigns to a finding. It could be POAM-001, VUL-2025-014. The format doesn't have to be an exact science, but it must be unique and it must never change. This ID is how you will refer to the issue from now on.

Associated Control

You must map every item in your POA&M to the requirement or control it related to. Examples: NIST SP 800-53 SI-11 (Log Retention), CMMC AC.L2-3.1.3 (MFA).

Weakness Description

This is the "what." A brief description of the issue that needs to be addressed. Make sure it’s clear and easy to understand for anyone who may be responsible for putting the fix in place. Also include a risk classification for this issue (e.g. High, Moderate, Low). For an item to be in your POA&M, most should be Moderate or Low.

Responsible Party

Which individual person or team with your organization is responsible for fixing this issue or implementing the relevant control. This individual or team will ultimately be responsible for ensuring that this is ticked off the POA&M before the deadline.

Proposed Remediation Steps

This details how you’re planning to fix the gap and resolve the issue. Again, you’ll want to be specific here, something like “fix logs” is too vague. Make sure you briefly detail a set of technical steps an engineer can read and know what to do.

Milestones and Completion Date

Your POA&M is a binding document and the final due date is mandatory, so saying "TBD" or "Ongoing" when it comes to completion dates isn’t good enough. With your milestones, you’re creating key checkpoints to track progress, for example, if you’re migrating a database your milestones may be:

  • M1: Research & select new DB (Jan 15)
  • M2: Implement in staging (Feb 1)
  • M3: Deploy to prod & decommission (Feb 15)

The target completion date is then when this whole issue will be solved with an audit-ready fix in place. Once complete, the target completion date will then be your closure date (showing when a closed item was resolved).

Status

This is your tracking field. You must use a standard set of terms, for example:

  • Open: The weakness has been identified, but work has not started.
  • In Progress: The remediation plan is actively being executed.
  • Completed: The fix is implemented, verified, and documented.

POA&Ms vs. a System Security Plan (SSP)

The SSP is another acronym closely tied to CMMC compliance and other federal frameworks. Both are incredibly important but serve different purposes.

The POA&M is a remediation plan to help you fix any issues and vulnerabilities identified by either your internal team or external auditors. Whereas the SSP outlines how your business protects sensitive information and data and the related policies and procedures you have in place.

Both POA&Ms and SSPs are essential for working on cybersecurity contracts with the Department of Defense (DoD).

POA&Ms Frequently Asked Questions

What's the Difference Between a POA&M and a Risk Acceptance?

A POAM is a plan to fix a weakness. A Risk Acceptance is a formal, written decision to not fix the weakness (due to cost, technical impossibility, etc.) and to formally accept the potential consequences.

How Many POA&Ms is Too Many?

There's no magic number. One POAM for a critical control (like "we don't use MFA") is a failure. Thirty POAMs for low-risk typos in documentation may also be okay. The focus is on the risk severity of the findings, not the quantity.

How Long Can a POAM Stay Open?

For CMMC, there is a hard 180-day limit. For other frameworks, it's what you and your auditor agree to. As a rule, any POAM open for more than a year sends a massive red flag to an auditor that you aren't serious about remediation.

Who Identifies a Weakness and Creates a POA&M?

Weaknesses and vulnerabilities can be identified both by your internal team and a C3PAO. As you go through gap analysis and internal reviews, POA&Ms should be flagged proactively. A third-party auditor will also identify any issues as they work through an audit.

Do I Need Software to Make a POA&M, or is a Spreadsheet Okay?

A spreadsheet is 100% acceptable, especially when you're starting out. The important part is the content and your commitment to it. You can move to a GRC platform as your program scales, but the spreadsheet is the perfect place to start.

Who Sees the POA&M?

It is an internal document that you share with external parties. The audience includes:

  1. Internal Teams: For accountability and project management.
  2. Your Auditors and Assessors: As proof of your remediation plan and to pass the audit.

What Happens if I Miss My POAM Deadline?

You must have a very good, documented reason (e.g., supply chain delay for new hardware) and a new, re-negotiated date. If you just miss it, it tells an auditor your process isn’t working and you don't honor your commitments.

Turn compliance into a growth engine: Workstreet delivers full-stack solutions that transform security and compliance into growth accelerators. Talk to an expert →
Build trust, accelerate growth.
Workstreet offers Al-first security solutions that help high growth technology companies get compliant, scale securely, and close bigger deals.
Get started
Ready to Transform Security into a Growth Advantage
Schedule a consultation with our trust solutions experts to see how we can accelerate your security program and compliance journey.
Talk to an engineer
Travis Good

Architect of security and privacy programs for 1,000+ hypergrowth companies. Author of "Complete Cloud Compliance," HITRUST 3rd Party Council member, and recognized speaker on startup security.