What is a POA&M?

POA&M stands for Plan of Action and Milestones. It is a security mandate that is part of the Federal Information Systems Management Act of 2002 (FISMA) for documenting an action plan to correct cybersecurity weaknesses. The document outlines the specific tasks and activities required to address the identified weaknesses. This includes details like remediation steps, resource allocation, and milestones and timelines. 

Who uses PO&AMs?

• Government Contractors: A PO&AM might be required to address security deficiencies identified during a security assessment for organizations working with government agencies. (e.g., DFARS compliance)
• Financial Institutions: Financial institutions often have strict security requirements to protect sensitive customer data. A PO&AM can be used to track progress towards meeting these requirements.
• Organizations Handling Sensitive Data: Any organization that handles sensitive data, such as healthcare providers or companies with intellectual property, can benefit from using a PO&AM to manage security risks.

See Also: 

1. DFARS SSP and PO&AM 
2. NIST 800-171 Rev 2
3. What is NIST 800-171? 
4. DFARS Compliance Checklist