CA-5: Plan of Action and Milestones

Quick-reference card

What this control requires

CA-05 requires organizations to develop and maintain a plan of action and milestones (POA&M) tracking every known security weakness through remediation. The POA&M is the single document that connects assessment findings, audit observations, and continuous monitoring results to concrete fix-it timelines and accountable owners. It is a required component of every authorization package and subject to federal reporting requirements.

In practice, this control has two distinct obligations. First, you must create a POA&M for each system that documents the weaknesses or deficiencies found during control assessments and lays out specific remediation actions to reduce or eliminate known vulnerabilities. Second, you must update that POA&M at an organization-defined frequency, incorporating new findings from control assessments, independent audits or reviews, and continuous monitoring activities.

Where most organizations fall short is the update requirement. A POA&M that’s created during authorization and never revisited becomes a compliance artifact with no operational value. The control explicitly demands a living document that reflects the current risk posture of each system, not a snapshot frozen at the last assessment cycle.

The result is that organizations treating the POA&M as a one-time deliverable routinely discover stale entries and untracked findings when the next assessment begins.

Why it matters

Failure to maintain a functioning POA&M process introduces audit risk and may result in certification withdrawal or regulatory findings. For organizations operating under FISMA, POA&Ms are subject to federal reporting requirements established by the Office of Management and Budget (OMB). Incomplete or stale plans become a direct path to authorization delays, conditional authorities to operate, or revoked authorizations.

Specifically, FedRAMP programs face similar scrutiny. Cloud service providers pursuing or maintaining authorization must demonstrate that their POA&M reflects the current state of remediation, not just a historical record of past findings.

The result is a visibility gap that compounds over time. Without a centralized remediation tracker, security teams lose track of which weaknesses were accepted, which were deferred, and which were supposedly fixed but never verified. That gap between “identified” and “resolved” is where residual risk accumulates silently.

What attackers exploit

Without a maintained POA&M, several gaps become exploitable entry points across assessment cycles:

• Untracked remediation gaps. When weaknesses identified in control assessments aren’t formally logged, they persist between assessment cycles with no owner, no timeline, and no path to resolution.
• Stale risk acceptance decisions. Deferred remediation actions that were accepted at a lower risk level but never revisited become permanent vulnerabilities as the threat landscape shifts.
• Missing accountability chains. Without assigned owners and deadlines, remediation actions stall, and known vulnerabilities remain open indefinitely.
• Disconnected monitoring feeds. When continuous monitoring findings don’t flow into the POA&M, newly discovered vulnerabilities bypass the remediation pipeline entirely.

How to implement

The most common failure mode is an existing POA&M that nobody updates.

For your organization

Organizations create the document during initial authorization, check the box, and then let it sit untouched until the next assessment forces a scramble to reconcile months of untracked findings. Start by establishing a POA&M template that captures, at minimum, the weakness description, the affected system or control, the responsible individual, the planned remediation action, the scheduled completion date, and the current status. Many organizations use spreadsheets, but dedicated governance, risk, and compliance (GRC) platforms provide better traceability and automated reminders.

In practice, this means defining your update frequency before the first assessment cycle begins. Quarterly updates are a common baseline, but organizations with active continuous monitoring programs should update more frequently, ideally monthly or whenever new findings arrive. The update cadence should be documented in your assessment, authorization, and monitoring policy as part of your broader NIST compliance program.

Specifically, every entry in the POA&M should trace back to a specific finding. When a control assessment identifies a deficiency, log it with enough detail that someone reviewing the entry six months later can understand what was found, why it matters, and what was done about it. Vague entries like “improve access controls” don’t meet the standard and don’t help anyone.

Where this process breaks down most often is in the handoff between monitoring and remediation tracking. Integrate your POA&M process with your continuous monitoring pipeline so that automated scans, vulnerability assessments, and audit reviews feed directly into the POA&M rather than sitting in a separate queue. This integration is what turns the POA&M from a static document into an operational remediation tracker.

The result is a pattern of recurring audit findings. Common mistakes include treating the POA&M as a one-time authorization artifact, failing to assign individual owners to remediation actions, allowing entries to remain open indefinitely without escalation, and not reconciling closed items with verification evidence. Each of these patterns degrades the value of the POA&M and creates audit findings of their own.

For your vendors

When assessing a vendor’s CA-05 compliance, ask direct questions in your security questionnaires. Request a copy of their POA&M policy, including the defined update frequency and the role responsible for maintaining it. Ask how findings from independent audits and continuous monitoring are incorporated into the POA&M.

But a policy alone doesn’t prove operational use. Request evidence that the POA&M is actively maintained, not just that one exists. A current POA&M with recent entries, closed items with completion dates, and status updates demonstrates operational use.

Specifically, a POA&M with no entries updated in the past two quarters is a red flag, not evidence of a clean security posture. It typically signals that the vendor’s assessment process and their remediation tracker are operating as disconnected functions.

In practice, verification should go beyond self-attestation. Ask to see the vendor’s most recent control assessment report alongside their POA&M to confirm that assessment findings map to documented remediation actions.

Specifically, if a vendor claims zero open findings, cross-reference that claim against their assessment scope and the number of controls evaluated. An assessment covering 200 controls that produced zero findings warrants skepticism.

But the patterns auditors flag most often are in the details. Red flags to watch for include POA&Ms with no defined update schedule, remediation actions with no assigned owner, entries that have been “in progress” for more than two consecutive review cycles, and a complete absence of entries from continuous monitoring sources. Each of these patterns suggests a POA&M that exists on paper but doesn’t function as a remediation management tool.

Take delayed remediation as a telling example. Ask vendors how they handle it and whether escalation procedures, risk acceptance documentation, and executive visibility into aging findings are part of the process. If a vendor can’t describe their escalation path, the POA&M process likely lacks the organizational support needed to drive actual remediation.

Evidence examples

Auditors examining CA-05 look for artifacts that demonstrate both the existence and ongoing maintenance of your remediation tracking process.

Cross-framework mapping

For more on how NIST SP 800-171 Rev 3 relates to SP 800-53, see the full mapping guide.

Related controls

• CA-02 (Control Assessments): Provides the assessment findings that populate the POA&M with identified weaknesses and deficiencies.
• CA-07 (Continuous Monitoring): Feeds ongoing monitoring results into the POA&M, ensuring new findings are captured between formal assessments.
• PM-04 (Plan of Action and Milestones Process): Establishes the organization-wide process and governance structure for managing POA&Ms across all systems.
• PM-09 (Risk Management Strategy): Defines the risk tolerance thresholds that guide POA&M prioritization and risk acceptance decisions.
• RA-07 (Risk Response): Determines how identified risks are handled, whether through remediation, mitigation, acceptance, or transfer, directly shaping POA&M entries.
• SI-02 (Flaw Remediation): Addresses the technical remediation of software flaws, which are among the most common items tracked in a POA&M.
• SI-12 (Information Management and Retention): Governs how long POA&M records and associated remediation evidence must be retained.

Frequently asked questions

What is NIST SP 800-53 CA-05?

CA-05 requires organizations to develop and maintain a plan of action and milestones (POA&M) that documents every known security weakness and tracks its remediation through completion. The POA&M must be created for each system based on findings from control assessments and must be updated at a defined frequency to incorporate results from independent audits, reviews, and continuous monitoring activities. It serves as the authoritative record connecting identified deficiencies to accountable owners, planned remediation actions, and target completion dates within your NIST SP 800-53 compliance program.

What happens if CA-05 is not implemented?

Without a functioning POA&M, your organization loses the ability to systematically track remediation of weaknesses identified during control assessments. Unresolved findings accumulate across assessment cycles with no visibility into their status, owner, or timeline. For federal systems, missing or incomplete POA&Ms can result in denied or revoked authorities to operate, since POA&Ms are required components of authorization packages and are subject to OMB reporting requirements. Auditors treat an absent or stale POA&M as a systemic governance failure, not just a documentation gap.

How do you audit CA-05?

Auditing CA-05 starts by verifying that a current POA&M exists for each system in scope and that it contains entries with assigned owners, planned remediation actions, and scheduled completion dates. Auditors compare the POA&M against the most recent control assessment report to confirm that identified deficiencies are reflected as tracked items. They also check update history to verify that the POA&M has been refreshed at the organization-defined frequency and that entries from continuous monitoring activities and independent audits appear alongside formal assessment findings.

What should a plan of action and milestones include?

A compliant POA&M should include, at minimum, a description of each identified weakness, the specific control or system affected, the planned corrective action, the individual or team responsible for remediation, the expected completion date, and the current status of each item. Findings should trace back to their source, whether that’s a control assessment report, an independent audit, or a continuous monitoring alert. Mature POA&Ms also include risk severity ratings, milestone checkpoints for complex remediation efforts, and closure evidence documenting how the weakness was verified as resolved.