Back to Glossary
Security

Plan of Action and Milestones(POA&M)

A document that identifies security deficiencies and outlines the steps and timeline for remediating them, required for many federal contractors.

Overview

A Plan of Action and Milestones (POA&M) is a corrective action plan that documents known security weaknesses in a contractor's information system and specifies how and when those weaknesses will be addressed. POA&Ms are a standard requirement for contractors handling federal information under NIST SP 800-171 and CMMC assessments.

Why It Matters in GovCon

A POA&M allows contractors to receive contracts despite having unresolved security deficiencies, provided they document a credible plan to fix them within an agreed timeline. Agencies evaluate POA&Ms when assessing contractor risk. Unmitigated high-risk items can block contract award or lead to findings during assessments.

Key Details

  • Required Elements: Weakness description, remediation steps, resources required, milestones, and completion dates.
  • Risk Levels: High-risk items typically require faster remediation than moderate or low.
  • Ongoing Updates: POA&Ms must be updated as weaknesses are addressed or new ones are discovered.
  • CMMC: POA&Ms are permitted for some controls at CMMC Level 2 but not all.
  • NIST Alignment: Tied to the 110 controls in NIST SP 800-171.

How GovCon Data Can Help

GovCon Data's compliance tracking features help you monitor POA&M due dates and ensure security remediation milestones are met before they affect contract eligibility.

Related Terms

  • System Security Plan (SSP)
  • NIST SP 800-171
  • Cybersecurity Maturity Model Certification (CMMC)
  • Risk Management Framework (RMF)

More Security Terms

Contracting Officer (CO)

The government official with the authority to enter into, administer, and terminate contracts on behalf of the U.S. government.

Contracting Officer's Representative (COR)

A government employee designated by the contracting officer to monitor contractor performance and serve as the technical point of contact.

Federal Information Security Management Act (FISMA)

Federal law establishing a framework for securing federal information systems and protecting government data.

FedRAMP

A government-wide program that provides a standardized approach to security assessment and authorization for cloud services.

For Official Use Only (FOUO)

A sensitivity designation for unclassified information that requires protection from unauthorized disclosure.

Identity and Access Management (IAM)

Policies and technologies that control who can access systems and data and what they can do.

Ready to Win More Contracts?

Use GovCon Data to find opportunities matched to your business and generate winning proposals with AI.

Start Free TrialBrowse Glossary