NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-5Plan of Action and Milestones

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

Practitioner Notes

A Plan of Action and Milestones (POA&M) is your organization's to-do list for fixing security weaknesses. Every finding from assessments, audits, or scans that is not immediately fixed must be tracked here with deadlines and responsible parties.

Example 1: After a Nessus scan reveals 15 critical vulnerabilities, create a POA&M entry for each one in your GRC tool (like eMASS or Xacta) with a remediation deadline of 30 days and an assigned owner.

Example 2: Track all audit findings from your annual CMMC assessment in a POA&M spreadsheet that includes columns for weakness description, severity, milestone dates, and status updates reviewed monthly by leadership.

More Assessment, Authorization, and Monitoring Controls

CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments