POA&M Management
A Plan of Action & Milestones (POA&M) is a required component of every ATO package. Infracast auto-generates POA&M items from compliance findings and tracks them through closure — eliminating manual spreadsheet maintenance.
Overview
When Infracast creates a compliance finding, a POA&M item is automatically drafted with:
- Weakness name and description from the finding
- Severity (CRITICAL/HIGH/MEDIUM/LOW) directly mapped
- Associated NIST 800-53 control IDs
- Default scheduled completion date (severity-based)
- Responsible party field (assignable to users/teams)
As you remediate findings, POA&M items track progress and close automatically when evidence confirms the control is re-compliant.
Status Workflow
Open → In Progress → Verification → Closed
| Status | Description |
|---|---|
| Open | Finding identified, not yet being remediated |
| In Progress | Remediation underway, milestones being tracked |
| Verification | Remediation complete, awaiting evidence confirmation |
| Closed | Evidence confirms control now passes |
POA&M Fields
Per the FedRAMP POA&M template and OMB A-130:
| Field | Description |
|---|---|
| POA&M ID | Sequential (e.g., POAM-0042) |
| Weakness Name | Short title |
| Weakness Description | Technical detail |
| Control IDs | NIST 800-53 controls affected |
| Severity | CRITICAL / HIGH / MEDIUM / LOW |
| Point of Contact | Assignee (user or team) |
| Scheduled Completion | Target date |
| Milestones | Ordered list of dates + descriptions |
| Status | Current workflow state |
| Comments | Audit-trailed log of all updates |
| Vendor Dependency | Is remediation blocked by a vendor? |
| Deviation Request | Notes for formal deviation |
POA&M UI
The POA&M page (/poam) provides:
Table View
- Sortable/filterable by any column
- Inline status updates (click badge to advance)
- Bulk actions: assign, update status, export
- Overdue items highlighted — badge count in sidebar
Kanban View
Drag-and-drop cards between Open → In Progress → Verification → Closed.
Create/Edit Modal
Full form with milestone timeline editor, comment history, evidence attachment, and deviation request fields.
API Reference
# List POA&M items
GET /api/v1/tenants/{tenantID}/poam?status=open&severity=HIGH
# Update status
PATCH /api/v1/tenants/{tenantID}/poam/{poamId}/status
{ "status": "in_progress", "comment": "Remediation started" }
# Export (FedRAMP Excel template)
GET /api/v1/tenants/{tenantID}/poam/export?format=fedramp
# Overdue items
GET /api/v1/tenants/{tenantID}/poam/overdue
Export Formats
| Format | Use Case |
|---|---|
FedRAMP Excel (.xlsx) | FedRAMP PMO submission |
| OMB MAX CSV | Federal agency OMB MAX upload |
| JSON | API integration or custom reporting |
# CLI export
vulcan poam export --format fedramp --tenant acme --output poam-2026-04.xlsx
Overdue Alerting
Configure in Settings → Authorization → Notifications:
- Email to owner when scheduled completion date passes
- Email to compliance officer at 15/30/60 days overdue
- Slack/Teams webhook for overdue items
- Dashboard badge showing overdue count
Integration with Evidence
- Closing a POA&M item requires linking an evidence artifact confirming the finding is resolved
- Verification status triggers evidence generation for the associated controls
- "Evidence gap" report: POA&M items without linked evidence older than 30 days
Related Features
- Evidence Engine — Evidence artifacts confirm POA&M closures
- Continuous Monitoring — Monthly POA&M updates are a ConMon deliverable
- GRC Integrations — POA&M items sync to eMASS, CSAM, ServiceNow GRC
Availability
| Tier | Access |
|---|---|
| Free / Pro | Not available |
| Business | Not available |
| Enterprise | POA&M auto-population, create/update, export |
| Enterprise Plus / Gov | eMASS/CSAM sync, OMB MAX export |