Skip to main content

Validating a Plan of Actions & Milestones (POA&M)

The Plan of Actions & Milestones (POA&M) is a key document in the security authorization package and for continuous monitoring activities. The POA&M facilitates a disciplined and structured approach to tracking risk mitigation activities. The POA&M includes security findings for the system from continuous monitoring activities and periodic security assessments such as the Annual Assessment. A POA&M describes the current disposition of any discovered vulnerabilities and system findings, and includes a CSP’s intended corrective actions for those findings. Agency AOs or designees are responsible for reviewing and approving POA&Ms, making their own risk-based decision both at the time of the initial assessment and during ConMon.

FedRAMP uses the POA&M to monitor the CSP’s progress in correcting these findings. A CSP applying for a FedRAMP JAB P-ATO, or a FedRAMP Agency ATO, must establish and maintain a POA&M for their system in accordance with the POA&M Template Completion Guide using the FedRAMP POA&M Template. The POA&M includes the:

  • Specific weaknesses or deficiencies in deployed security controls and the source of the identified weakness
  • Severity of the identified security control weaknesses or deficiencies
  • Scope or affected assets of the weakness in components within the environment
  • Proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security control implementations (e.g., prioritization of risk mitigation actions and allocation of risk mitigation resources)
  • Any deviation request status
Documents Templates Blogs