Secureframe's POA&M (Plan of Action and Milestones) module is a centralized view in the software that helps you document, track, manage, and update remediation plans for compliance gaps. Each row in the table represents a single POA&M entry (a known deficiency or risk) along with important details such as:

• Description of the issue

• Associated controls or requirements

• Planned remediation steps

• Responsible owner

• Target completion date

• Current status or progress

This table gives you and your team visibility into outstanding compliance tasks and allows you to prioritize and monitor remediation efforts over time. It’s an essential tool for staying audit-ready and demonstrating continuous improvement.

This feature is available on select plans. Contact us to learn more.

Access the POA&M Table

From the left-hand navigation menu, select the POA&M module.

.

Creating a POA&M Item from the POA&M table

To create a new POA&M item:

1. Click the “+” button in the POA&M table.
2. Fill in the required details:
   1. Issue: Describe how you are failing to meet the linked assessment objective(s)
   2. Owner: Identify the person responsible for remediating the POA&M item.
   3. Associated assessment objectives: Link the relevant assessment objectives

Creating a POA&M Item from the Control Implementation page

From the "control implementation" page of your System Security Plan, you can create POA&M item directly linked to any of your control requirements.

To learn more about creating and managing a system security plan, refer to the following help article:  Building and Managing a System Security Plan (SSP)

POA&M Statuses

Draft: Default status when a POA&M item is created.

In Progress: Indicates active work on the POA&M item. When marked as "in progress," the due date is automatically set to 180 days to align with CMMC guidelines.

Closed: Indicates remediation is complete. The POA&M item remains in the system to maintain historical records.

Overdue: If a POA&M item remains “in progress” past its due date, the due date will turn red and display an overdue indicator. It’s critical to remediate POA&M items before they reach this status.

Track Remediation Plans

Each POA&M item includes fields for:

• Estimated completion date
• Remediation plan

Use these fields to outline your timeline and approach for resolving the issue.

In the Attachments tab, upload supporting documents or evidence of remediation—these are important for demonstrating resolution to auditors and assessors.

Use the Comments tab to collaborate and communicate with stakeholders throughout the remediation process.

Frequently Asked Question (FAQ)

How do I access the new Federal Features like SSP or POA&M?

• This feature is available on select plans.
• If you do not currently see it, please contact success@secureframe.com or reach out to your direct Account Manager at accountmanagement@secureframe.com