← Glossary · Compliance
POA&M
Plan of Action & Milestones — the roadmap for closing security control gaps.
A POA&M is a formal document tracking outstanding security control deficiencies, the corrective actions required, owners, and target completion dates. DoD requires POA&Ms for any NIST 800-171 controls not fully implemented.
CMMC 2.0 allows a limited set of POA&M items at assessment time, but critical controls (worth 3 or 5 points on the scoring rubric) cannot be POA&M'd.
Related terms
See how Scarlet Risk covers POA&M.
One platform for compliance, cyber, crypto, and world-watch risk.
Schedule Live Demo