What is POAM?

It is a document used to track and manage deficiencies or weaknesses found in cybersecurity controls. A POAM can be formatted in a simple spreadsheet, so no special tools are needed to generate and maintain a POAM.

While there is no current “gold standard” for what a POAM is meant to contain. FedRAMP’s POAM template is the most common basis leveraged as a starting point. In general, a POAM includes the following criteria:

• The system/initiative the POAM is applicable to;
• A description of the identified security gap or weakness;
• The impact or risk associated with the deficiency;
• The corrective actions planned or underway;
• Milestone dates and projected timelines for remediation efforts; and
• Responsible personnel to carry out or oversee remediation efforts.

Organizations use POAMs to ensure accountability and visibility into their ongoing cybersecurity improvement efforts. In requirements like FedRAMP, RMF and CMMC, maintaining POAMs is a mandatory requirement for demonstrating ongoing risk management and compliance.