New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →
← Glossary · Compliance

POA&M

Plan of Action & Milestones — the roadmap for closing security control gaps.

A POA&M is a formal document tracking outstanding security control deficiencies, the corrective actions required, owners, and target completion dates. DoD requires POA&Ms for any NIST 800-171 controls not fully implemented.

CMMC 2.0 allows a limited set of POA&M items at assessment time, but critical controls (worth 3 or 5 points on the scoring rubric) cannot be POA&M'd.

Related terms

See how Scarlet Risk covers POA&M.

One platform for compliance, cyber, crypto, and world-watch risk.

Schedule Live Demo