Plan of Action and Milestone (POA&M)-Identifies vulnerability, resources, impact, recommendation and time needed to resolve identified vulnerabilities during the assessment Phase
POAM’s are usually drafted by the C&A Analyst with support from System Owner
Before a POA&M artifact is created the system owner usually reviews a draft of the SAR in order to accept findings or provide additional evidence in contest of fail controls
Sample POA&M
SECURITY AUTHORIZATION PACKAGE
After the POAM is created the Authorizing Official is presented with the Security authorizing Package
Full SA&A/C&A Package
FIPS 199 Risk Assessment Report PTA PIA E-authentication SORN System Security Plan
Configuration Management Plan Contingency Plan Contingency Plan Test Security Control Baseline Test Plan ST&E SAR POA&M ATO