U.S. Department of Health and Human Services
Before any system is made operational, it must be authorized by agency management to formally accept responsibility for the risks identified. A POA&M is developed as part of the security authorization process to address weaknesses reported in risk assessments and security testing for organizational systems.
HHS uses a system to manage POA&Ms. A POA&M generally identifies a System Owner (who could be the CIO or Hospital Director, for example) as the responsible point of contact. How much IT Administrators assist with the POA&M depends on what your ISO needs. IT Administrators generally have responsibility to fix or mitigate findings that are in the technical realm.
Page 9 of 9
System Security Documentation