To achieve and maintain compliance with frameworks like CMMC and FedRAMP, it is not enough to implement technical controls and test once. You must also maintain extensive documentation and show a clear path to remediation and continuous improvement. That’s why one of the most critical documents required for compliance with these frameworks is the Plan of Action and Milestones (POA&M).

A well-constructed POA&M not only demonstrates your organization’s commitment to resolving security and compliance gaps, it is also required evidence for audits and assessments.

Below, we break down what a POA&M is, its relationship to the System Security Plan (SSP), and how to build one effectively. We also provide a POA&M example and template to help organizations meet documentation requirements for CMMC and other frameworks.

What is a POA&M?

A Plan of Action and Milestones (POA&M) is a document used to identify and track known issues and control deficiencies and the activities the organization will take to correct them. This document details the plan for remediation, resources required to execute that plan, and milestones to achieve in order to hit the scheduled completion date for closing out each POA&M item. 

A POA&M that is used to document and monitor remediation plans for control deficiencies identified during periodic security assessments and ongoing continuous monitoring activities is a key requirement in many federal compliance frameworks, including:

• DFARS 7012
• CMMC
• FedRAMP
• FISMA
• NIST 800-171
• NIST 800-53

Let’s take a closer look at the importance of a POA&M below.

Why the POA&M is a critical document

The POA&M is not just a best practice, it’s a critical document. Here are four key reasons why:

• Mandatory for CMMC, FedRAMP, and other federal assessments: The POA&M is a mandatory requirement for achieving compliance under federal frameworks like CMMC and FedRAMP. If not all requirements are fully met at the time of assessment, an organization can document how and when they will remediate control deficiencies in order to achieve conditional compliance status. For CMMC certification, all POA&M items must be remediated within 180 days. For FedRAMP authorization, high and critical risk findings identified through continuous monitoring activities must be remediated within 30 days, moderate findings within 90 days, and low findings within 180 days. 
• Clear accountability and plans for remediation: A POA&M assigns responsibility and specific tasks for each identified weakness to a team or individual. This ensures that every remediation item has a clear owner who is tasked with tracking and closing it and that they understand exactly what they must do. Without this level of accountability and transparency, tasks can easily fall through the cracks, especially in large or distributed organizations. A POA&M ensures that individual vulnerabilities are addressed with specific, measurable, attainable, realistic, and tangible actions.
• Risk prioritization and resource allocation: Similar to a risk register, a POA&M helps organizations categorize findings based on severity and risk so resources can be directed where they are needed most. By focusing on the most critical weaknesses first, organizations can mitigate risk more effectively while reducing costs and still working toward enhancing their overall security posture.
• Ongoing risk management and continuous improvement: A POA&M is meant to be a living document, not a static one. By updating this document as new weaknesses are identified or business needs evolve, the POA&M can support ongoing risk management and continuous improvement. Beyond just passing a point-in-time audit, a POA&M serves as a dynamic roadmap for strengthening your security posture over time and building a culture of continuous compliance.

POA&M requirements for CMMC and FedRAMP

While Plan of Action and Milestones (POA&Ms) serve a similar purpose across federal compliance frameworks, the specific requirements governing how they should be used and formatted differ between CMMC and FedRAMP. These differences are important to understand because they can impact assessment outcomes, certification timelines, and ongoing authorization status.

Below, we break down the key POA&M requirements for each framework to help you prepare accordingly.

CMMC

Organizations pursuing CMMC certification may be eligible for a conditional certification if certain requirements are not fully met at the time of the assessment. However, POA&Ms are not a blanket workaround and are only allowed in the following circumstances. 

Level 1 assessments

POA&Ms are not permitted under any circumstances. All Level 1 controls must be fully implemented to achieve certification.

Level 2 assessments

POA&Ms are permitted only if:

• The total assessment score is ≥ 88.
• The control has a point value of 1 or less.
• The control does not appear on the list of POA&M-prohibited controls below.

Prohibited controls for POA&Ms at Level 2 are:

• AC.L2-3.1.20 – External Connections (CUI Data)
• AC.L2-3.1.22 – Control Public Information (CUI Data)
• CA.L2-3.12.4 – System Security Plan
• PE.L2-3.10.3 – Escort Visitors (CUI Data)
• PE.L2-3.10.4 – Physical Access Logs (CUI Data)
• PE.L2-3.10.5 – Manage Physical Access (CUI Data)

Level 3 assessments

POA&Ms are allowed if:

• The assessment score is ≥ 88.
• The control is not on the Level 3 prohibited controls list.

Prohibited controls for POA&Ms at Level 3 are:

• IR.L3-3.6.1e – Security Operations Center
• IR.L3-3.6.2e – Cyber Incident Response Team
• RA.L3-3.11.1e – Threat-Informed Risk Assessment
• RA.L3-3.11.6e – Supply Chain Risk Response
• RA.L3-3.11.7e – Supply Chain Risk Plan
• RA.L3-3.11.4e – Security Solution Rationale
• SI.L3-3.14.3e – Specialized Asset Security

Remediation timeline for Level 2 and 3 assessments

All POA&M items must be closed within 180 days of the assessment. Closure is verified through a closeout assessment, which evaluates only the originally unmet requirements.

FedRAMP

In the FedRAMP program, POA&Ms are required for any cloud service provider (CSP) seeking a JAB Provisional Authority to Operate (P-ATO) or an Agency ATO. 

Unlike CMMC, FedRAMP allows for more extensive use of POA&Ms throughout both the authorization and continuous monitoring phases.

What to include

CSPs must use the FedRAMP POA&M Template to record both open and closed items.This includes all management, operational, and technical controls with identified weaknesses must be included in the POA&M. 

Weaknesses and vulnerabilities can be identified through:

• Vulnerability scanning tools, but only those identified late in the process
• Assessment interviews and penetration testing
• Deviation Requests (pending approval)
• Risks that are also issues and/or vulnerabilities

Remediation timelines

The POA&M must be updated monthly and submitted as part of their monthly continuous monitoring summary reports. These monthly POA&Ms must reflect the following remediation timelines: 

• High and critical risk findings identified pre-authorization: Must be remediated prior to P-ATO issuance.
• High and critical risk findings identified post-authorization through continuous monitoring: Must be remediated within 30 days of identification.
• Moderate risk findings: Must be remediated within 90 days of the P-ATO date or identification.
• Low risk findings: Must be remediated within 180 days of the P-ATO date or identification.

POA&M and a System Security Plan

A POA&M is closely tied to another key document in CMMC and other federal compliance frameworks: the System Security Plan (SSP). 

The SSP provides an overview of how your organization protects sensitive data. In the case of CMMC, it explains how you implement NIST 800-171 requirements to protect Controlled Unclassified Information (CUI). In the case of FedRAMP, it explains how you implement FedRAMP requirements, which are a derivative of NIST 800-53 Revision 5, to protect federal data.

If there are any requirements that are not yet implemented or not fully implemented, that’s where the POA&M comes in. The POA&M should identify any unmet requirements and what steps your organization will take to close those compliance gaps in a timely manner. 

For both FedRAMP and CMMC assessments, the SSP and POA&M are submitted together as part of a larger, comprehensive set of documents that detail their security practices and controls.

How to write a Plan of Action and Milestones

Creating a POA&M is a step-by-step process that involves identifying weaknesses, assessing their impact, and assigning remediation plans. Here’s an overview of this process:

Step 1: Identify and document weaknesses

Start by conducting a gap analysis or assessment to uncover control deficiencies. These could come from internal audits, vulnerability scans, penetration tests, or third-party assessments. Each weakness should be clearly documented, including the control it relates to and a brief description of the deficiency.

Step 2: Determine the severity level of the weakness in order to prioritize POA&M efforts 

Since not all weaknesses carry the same level of risk, it’s essential to classify each issue based on impact and likelihood. This prioritization allows your organization to allocate resources effectively and demonstrate that high-risk items are being addressed first.

Step 3: Determine responsibility

Next, assign each POA&M item to a specific individual, team, or department. Responsibility should be clear and actionable to ensure accountability throughout the remediation process.

Step 4: Develop a remediation plan

Outline specific steps to correct the weakness. The plan should include the actions to be taken, required resources, expected outcomes, and a target completion date. For recurring issues, consider adding interim mitigation strategies as well.

Step 5: Establish milestones

At this stage, try to break larger remediation efforts into measurable milestones. This helps track progress and ensure that remediation stays on schedule, particularly for long-term or complex fixes.

Step 6: Monitor POA&M over time

POA&Ms are dynamic documents that require regular updates. Track progress toward each milestone, update statuses, and revise timelines if necessary. 

During assessments, auditors will review not only the open POA&M items but also their milestone updates and closed POA&M items to evaluate the organization’s track record in addressing weaknesses over time.

POA&M example​

While each framework may have its own format, an effective POA&M template typically includes a core set of fields. These are defined below, and example inputs are included for each. 

• Identifier or Tracking Number: Provide a unique identifier for each POA&M item, such as POAM-001.
• Name and/or description of the weakness: Describe the weakness, such as “an unprovisioned port left open on [Example] Firewall.” You may be asked to provide a name and description in separate columns. 
• Severity or risk level: Select the severity or risk level. This will likely be qualitative values such as Low, Moderate, or High.
• Remediation plan: Briefly describe what action(s) you’ll take to remediate the weakness, such as “implement VPN with AES-256 encryption and MFA.”
• Resources required: Specify any resources needed to remediate this item beyond the current resources you have.  
• Source of discovery: Identify the source that detected the weakness, such as the name of the vulnerability scanner, penetration test, or interview. 
• Related control: List the control(s) associated with the POA&M item from the framework you are trying to comply with. So say you are documenting a POA&M for FedRAMP compliance. Then you would include the applicable NIST 800-53 control(s) to POAM-001, such as AC-1.
• Owner or Responsible party: Identity the person responsible for remediating the POA&M item. This may be an individual or a team, such as the IT Security Team.
• Due dates, milestone updates, and status: There will likely be multiple columns for tracking the progress of each POA&M item, including the date of intended completion, any alterations or additions to this milestone, and the status of each item. The status may be “In progress” or the date that the item was closed. 

As mentioned above, frameworks may have different documentation requirements for a POA&M. For example, FedRAMP provides a POA&M template that has more than 30 columns for each item. However, we’ve provided a simpler template that focuses on the most important details to include for each POA&M item. Find it below. 

POA&M Template

A POA&M template can help ensure consistency, completeness, and clarity when documenting your remediation efforts and trying to meet CMMC or other applicable framework requirements. By providing structure to your process, this template can make it easier for teams to capture the right details, track progress over time, and demonstrate due diligence during audits or assessments.

A well-designed template also simplifies collaboration across departments by giving everyone a common format to work with, and reduces the risk of omissions, inconsistent entries, and duplicate tracking.

POA&M software

A POA&M is a critical part of demonstrating progress, accountability, and continuous improvement under CMMC and other federal frameworks. POA&M software can help you generate and maintain this document with less effort, enabling you to correct deficiencies found during assessments and manage the remediation of identified weaknesses faster.

With Secureframe’s POA&M Manager, for example, you can reduce risk of oversight and simplify CMMC or other federal audit prep with structured, trackable remediation plans.

Secureframe can generate a POA&M for you and link POA&M items directly to SSP implementation statuses for seamless tracking. See how in the demo video below.

Simplify CMMC and federal compliance with Secureframe

Creating and updating a POA&M is just one of many tasks you must complete. Achieving and maintaining CMMC compliance requires rigorous documentation, ongoing monitoring, and seamless coordination across teams. Without the right tools, this can be a time-consuming and resource-intensive effort.

Secureframe simplifies the complexity of CMMC 2.0 and other frameworks by automating and streamlining every stage of the compliance process. Our platform can generate POAMs and is purpose-built to support federal compliance at scale, offering:

• Customizable policy and document templates, including POA&Ms and SSPs, designed to meet federal requirements and reduce documentation overhead.
• Expert guidance from former federal auditors who understand the technical complexities of CMMC as well as other frameworks such as FedRAMP, GovRAMP, TX-RAMP, NIST 800-53, and CJIS.
• Automated evidence collection and continuous monitoring through deep integrations with federal cloud services like AWS GovCloud and your existing tech stack.
• AI-powered remediation tools that automatically generate fixes for cloud misconfigurations as infrastructure-as-code, accelerating remediation and enhancing your security and compliance posture.
• Built-in employee training that meets CMMC role-based and insider threat training requirements.
• Cross-framework mapping that eliminates redundant work and accelerates compliance with other standards like NIST 800-53, FedRAMP, and more.

Schedule a demo with our team to see how Secureframe can help you reduce manual POA&M effort, avoid costly delays, and stay ahead of evolving DoD requirements.