WHAT IS A PLAN OF ACTION AND MILESTONES (POAM)?A POAM is exactly what it is as described. It is a plan, specific to the selected security controls that cannot be adequately addressed, or a vulnerability identified by security tools that assess the cybersecurity posture of an Information System (IS), and the associated plan to fix it. It is typically applicable to the local physical and virtual network infrastructure that provides the “backbone” processes for a company to conduct business. Further, a POAM requires milestones. These are benchmark points in time that a company is expected to work to move a non-compliant control to a compliant status. Milestones are interim efforts that are managed by the IT staff and with corporate officer oversight to ensure an active risk management effort occurs. This Second Edition takes into account improved approaches and tools to manage the lifecycle of an active POAM.