The Plan of Actions & Milestones (POA&M) is a key document in the security authorization package and for continuous monitoring activities. The POA&M facilitates a disciplined and structured approach to tracking risk mitigation activities. The POA&M includes security findings for the system from continuous monitoring activities and periodic security assessments such as the Annual Assessment. A POA&M describes the current disposition of any discovered vulnerabilities and system findings, and includes a CSP’s intended corrective actions for those findings. Agency AOs or designees are responsible for reviewing and approving POA&Ms, making their own risk-based decision both at the time of the initial assessment and during ConMon.
FedRAMP uses the POA&M to monitor the CSP’s progress in correcting these findings. A CSP applying for a FedRAMP JAB P-ATO, or a FedRAMP Agency ATO, must establish and maintain a POA&M for their system in accordance with the POA&M Template Completion Guide using the FedRAMP POA&M Template. The POA&M includes the:
- Specific weaknesses or deficiencies in deployed security controls and the source of the identified weakness
- Severity of the identified security control weaknesses or deficiencies
- Scope or affected assets of the weakness in components within the environment
- Proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security control implementations (e.g., prioritization of risk mitigation actions and allocation of risk mitigation resources)
- Any deviation request status