Plan of Action and Milestones (POA&M)

A Plan of Action and Milestones (POA&M, sometimes written POAM) is a document that lists the security weaknesses or gaps your company knows about but hasn't fully fixed yet, along with your plan and timeline for addressing each one. It's essentially your remediation to-do list with deadlines.

When you identify a security requirement you don't fully meet — say you haven't implemented multi-factor authentication everywhere — the POA&M records that gap, describes what you plan to do about it, who is responsible, and when it will be completed. Under CMMC 2.0, some POA&M items are allowed at the time of assessment, but they must be closed within 180 days.

Why It Matters

A well-maintained POA&M shows assessors that you're aware of your gaps and actively working to close them. However, not all gaps can be POA&M'd — certain critical requirements must be fully met at the time of assessment.

Related Resources

CMMC: CA.L2-3.12.2
NIST 800-171: 3.12.2
NIST 800-53: CA-5
NIST 800-53: PM-4