Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - CA.L2-3.12.2 – Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Understanding the Requirement
This control requires your organization to create and use a formal plan of action and milestones (POA&M) process that identifies gaps and vulnerabilities, assigns responsibility, and tracks remediation to completion. Under the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework the POA&M is the primary program artifact showing which security requirements are unimplemented or partially implemented, how each deficiency will be corrected, who will do it, and measurable milestones and completion dates. The goal is not only to document problems but to drive accountable, timely remediation and to reduce the organization’s exposure to risk.
Technical Implementation
-
Establish a POA&M template and owner.
Create a simple POA&M template that includes: finding ID, description of the deficiency, root cause, corrective actions, owner, priority level (e.g., High/Med/Low), milestones with dates, required resources (personnel, budget), verification criteria, and status. Appoint a POA&M owner (often the IT/security manager) responsible for maintaining and reporting the POA&M.
-
Integrate findings from assessments and scans.
Populate the POA&M from security assessments, vulnerability scans, penetration tests, and internal audits. For each item, capture the evidence and the recommended remediation steps. Prioritize items based on impact and exploitability (for example, expose critical internet-facing vulnerabilities first).
-
Assign clear tasks and enforce accountability.
Break each corrective action into concrete tasks (e.g., apply patch KB-1234, enable MFA for admin accounts, segment contractor VLAN). Assign a single responsible person and a supervisor/approver. Use your existing ticketing system (helpdesk, Jira, Trello, or a spreadsheet for very small shops) to track tasks and link tickets to POA&M entries.
-
Set milestones, deadlines, and acceptance tests.
Define intermediate milestones (e.g., test patch on staging, deploy to production, validate with scan) and an explicit acceptance criterion for closure (e.g., verification scan shows vulnerability status “fixed,” or control tested and documented). Avoid vague deadlines — use realistic timelines based on resource availability and criticality.
-
Monitor progress and escalate.
Review POA&M status weekly or biweekly with IT and monthly with leadership. Track overdue items and escalate unresolved high-risk items to executive management for decisions on funding or temporary compensating controls (e.g., network segmentation, compensating firewall rules).
-
Validate remediation and update records.
After changes are applied, validate with evidence: updated configuration files, vulnerability scan results, change tickets, test results, or screenshots. Update the POA&M with verification evidence and change status to “closed.” Keep the POA&M as a living record for auditors and continuous improvement.
Example in a Small or Medium Business
After a third-party gap assessment, a 60-person engineering firm discovered ten security requirements that were not fully implemented. The IT manager created a POA&M using a standard template and entered each finding with a unique ID, remediation steps, an initial priority, and an owner. Critical items (missing MFA, unpatched internet-facing servers) were given 30–60 day milestones and assigned to the system administrator, while lower-priority documentation updates were scheduled over 90 days. The firm used its existing ticketing tool to manage task-level work and linked ticket references back into the POA&M so progress and evidence were centralized. Weekly IT team meetings reviewed status and flagged any items needing vendor support or budget approval; two high-risk items required management sign-off for outsourced remediation. Once changes were implemented, the IT team reran vulnerability scans and attached the results to each POA&M entry before marking the items closed. Quarterly reports from the POA&M owner to the executive team ensured visibility, funding for remaining work, and that compensating controls stayed in place until full remediation was complete.
Summary
A well-maintained POA&M turns assessment findings into accountable work: it documents deficiencies, assigns owners, defines measurable remediation steps and milestones, and records verification evidence. For SMBs this can be implemented with modest tooling (ticketing systems and spreadsheets) and regular governance (weekly IT check-ins and monthly leadership reviews). Combining the policy requirement to maintain a POA&M with these technical practices — prioritization, task-level tracking, validation, and escalation — ensures deficiencies are corrected or mitigated in a timely, auditable way and reduces organizational exposure to vulnerabilities.
