NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-4 — Plan of Action and Milestones Process
Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are developed and maintained; Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with established reporting requirements. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Supplemental Guidance
The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in [CA-5](#ca-5).
Practitioner Notes
A POA&M is your official to-do list for fixing security weaknesses. Every finding from audits, assessments, or scans should be tracked with a responsible person, a target completion date, and the resources needed to fix it.
Example 1: After a vulnerability scan, export the findings into a POA&M spreadsheet with columns for: weakness description, risk level, responsible party, estimated completion date, milestones, and current status. Review this document monthly with leadership.
Example 2: Use Microsoft Planner or Azure DevOps Boards to manage your POA&M items as tasks. Each task gets assigned to a team member, tagged with the control family it addresses, and tracked through stages (Open, In Progress, Mitigated, Closed). Generate a monthly status report from the board for leadership review.