How Can POA&Ms Help Improve Your Security Budgeting Process?

Posted by Ignyte Team

December 26, 2021

Have you ever heard an IT security pro talk about their POA&M and wondered what they meant? You’re not alone. Many security consultants and engineers are uncertain about the meaning of the acronym “POA&M”. It stands for Plan of Actions and Milestones; it’s a commonplace term within military and defense working environments.


A Plan of Action and Milestones (POA&M) is mandated by the Federal Information Systems Management Act of 2002 (FISMA) as a formal corrective action plan for tracking and managing weaknesses within your system. In this context, “formal” means that the structure of the document along with the guidance on how to properly complete the document is mandated. Any deviation from the guidance will end in rejection of your POA&M document by those who are reviewing it and certifying, or authorizing, your system for approval.


Most private and commercial organizations can relate this plan to their typical risk register; while in federal vernacular, the POA&M is a high-structured, version-controlled, and sensitive document used to not only manage risk but also to help with the federal budgeting processes. POA&Ms are used in conjunction with a security control framework such as the NIST Risk Management framework.

What goes in a POA&M?

In general, a POA&M contains a detailed estimation of the resources and human capital required to accomplish identified tasks. More specifically, it has the following requirements:

  • Item Identifier
  • Weakness or Deficiency
  • Security Control
  • POC
  • Resources Required
  • Scheduled Completion Date
  • Milestones with Completion Dates
  • Changes to Milestones
  • Weakness/ Deficiency Identified by
  • Risk Level
  • Estimated Cost
  • Status
  • Comments

Depending on your business or your agency, there may be more or fewer requirements when completing a POA&M.

How does a POA&M impact your security risk & compliance operations?

Security professionals today are under the scrutiny of many frameworks, regulations, and standards. Standards like GDPR, FISMA, PCI-DSS, etc., and these frameworks can be brought under a single security control framework, such as NIST Risk Management Framework (NIST RMF). A security control framework is a unified compliance framework that allows the organization to consolidate its requirements in order to properly manage the sheer number of requirements spread across different regulatory bodies and standards organizations. When assessing your environment against a unified compliance effort, it will produce several deficiencies from various controls and requirements. These deficiencies and issues are formally documented inside your POA&M. The POA&M can then serve as a foundational document to capture business justification, tasks, and estimated cost along with clear traceability to your organization’s security posture.

How can POA&Ms help CISOs with their Budgeting Strategies?

According to OMB Memorandum 04-25, POA&Ms are actually used by the Office of Management and Budget (OMB) to gather costs of security across various agencies in the U.S. The Office of Management and Budget (OMB) is the largest office within the Executive Office of the President of the United States. It is the primary finance department for security and other activities.


There is a lot a CISO can learn on how OMB processes manage and approve funding for various types of activities, including capital planning for new investments, known as CPIC (Capital Planning & Investment Control).

So why does a POA&M capture cost versus other documents? The POA&M primarily reports on deficiencies from a unified compliance framework or your internal security controls framework. A large organization can deploy many variations of security control frameworks. Each one of these frameworks can generate their own set of deficiencies. The OMB is interested in managing and addressing these deficiencies that could potentially turn into national security risks. 


When assembling a security budget, CISOs must always understand the relative impact and properly communicate risk and impact. The POA&M allows CISOs to do this in a clear and defensible manner by aligning funding requests to specific security requirements along with its relative risk rating and deficiencies.


Below are the direct requirements of a POA&M from OMB Memorandum 04-25. Linking security costs to security performance is the key for CISOs desiring to get and maintain their budget. This is exactly what the POA&M attempts to achieve.


How can Ignyte Platform help CISOs?

CISOs need a defensible budgeting strategy, and Ignyte Platform automates the security budgeting process while linking it to the security performance of your organization. The Security performance of your organization can be tied to a unified compliance framework while managing multiple security control frameworks under a single organization. Give us a call or schedule your demo today.