NIST SP 800-171 Rev 2 practice 3.12.2 requires organizations to develop and implement plans of action designed to correct security deficiencies and reduce or eliminate vulnerabilities identified in their systems. A Plan of Action and Milestones (POA&M) is a formal document that lists each identified weakness, the specific corrective actions to be taken, the resources allocated to those actions, responsible parties, and scheduled completion dates. The POA&M is not a static artifact; it must be actively implemented and its progress monitored so that deficiencies are actually resolved rather than merely documented. This practice directly depends on the findings produced by CA.L2-3.12.1 (periodic security assessments) and feeds into the organization's ongoing continuous monitoring posture. Together, identification, planning, and implementation form a closed-loop remediation cycle that keeps the system security posture aligned with stated requirements.
Where it stops · what it isn't
- —This practice does not define how to conduct the security assessment itself — that is covered by CA.L2-3.12.1, which is a prerequisite.
- —POA&M development does not replace or defer the need to implement actual technical controls; it documents the remediation path but cannot substitute for completed fixes.
- —This practice does not govern risk acceptance decisions for residual risk after remediation — that falls under organizational risk management processes.
- —CA.L2-3.12.2 does not require a specific POA&M format or tool, only that the plan contains sufficient detail to track milestones and resource allocation.
- —This practice does not cover vulnerability scanning or penetration testing methodologies — it addresses what happens to findings after they are produced.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/security-assessment