U.S. Department of Health and Human Services
A plan of action and milestones (POA&M) is a tool used to identify, prioritize, and monitor the progress of system security weaknesses. POA&Ms outline corrective actions, required resources (i.e., funding, man-hours), and milestones for mitigating each outstanding weakness. This is initially compiled during the system’s first security authorization and maintained thereafter.
IT Administrators often contribute to the POA&M by formulating corrective actions, estimating resource needs, and providing input on milestones for completion.
Page 8 of 9
Implementation & Assessment Phase
Plan of Action & Milestones