Plans of action and milestones

Overview
Remedial action plans, also known as plans of action and milestones (POA&M), help agencies identify and assess security weaknesses in information systems, set priorities, and monitor progress in correcting the weaknesses.

NIST guidance states that each federal civilian agency must report all incidents and internally document remedial actions and their impact. POA&Ms should be updated to show progress made on current outstanding items and to incorporate the results of the continuous monitoring process. In addition, FISMA requires the agency CIO to report annually to the agency head on the effectiveness of the agency information security program, including progress on remedial actions.