If you've worked in a DoD program office or on a government IT system going through the Risk Management Framework (RMF), you've spent time on POA&Ms. Probably more time than you wanted to.
A Plan of Action and Milestones is supposed to be a simple document: here are the vulnerabilities we know about, here's what we're doing about them, here's when we'll be done. In practice, it becomes a sprawling spreadsheet that three different people maintain, that never quite matches the STIG scan results, and that the ISSO has to manually reconcile every time an assessor asks for it.
This article is a practical look at what POA&M automation actually means, what it can and can't do for your program, and what to look for if you're evaluating tools.
What a POA&M actually is (and isn't)
Under the RMF process defined in NIST SP 800-37, a POA&M is a document that identifies tasks needing to be accomplished to remediate known vulnerabilities or weaknesses in an information system. It's a required artifact for Authorization to Operate (ATO) packages and is reviewed by the Authorizing Official (AO) as part of ongoing continuous monitoring.
Every open finding from a STIG checklist, every unresolved vulnerability from a scan, every security control that can't be fully implemented, these all become POA&M items. For any system of meaningful size, that can be dozens to hundreds of open items at any given time.
The key distinction: A POA&M doesn't mean your system isn't secure enough to operate. It means you've identified gaps, you have a plan to address them, and you're being transparent about the risk. An AO can grant an ATO with open POA&M items, what they need to see is that you know what you have and you're managing it responsibly.
The problem isn't the concept. The problem is the operational reality of keeping that document accurate, current, and traceable across the entire lifecycle of a system, especially when the findings come from multiple scan tools, multiple STIG checklists, and multiple assessment events.
What manual POA&M management costs you
The standard approach most programs use is a spreadsheet, usually derived from the DISA POA&M template. Someone on the team is responsible for updating it, usually the ISSO or a system administrator who has other primary duties.
Here's what that typically looks like in practice:
- Scan results come in as separate reports, SCAP content results, manual STIG checklist CKL files, vulnerability scanner output, and someone has to manually cross-reference each finding against the existing POA&M to determine what's new, what's been remediated, and what's changed.
- Finding IDs don't stay stable. DISA updates STIGs regularly. A CAT I finding from six months ago may have a different Vulnerability ID in the current version, which breaks any manual tracking you had tied to that ID.
- Inherited controls create confusion. Many findings apply to the platform or infrastructure layer, not the application itself. Knowing which items are your responsibility vs. inherited from a cloud service provider or enclave owner requires judgment that a spreadsheet can't capture.
- Status goes stale fast. A finding marked "in remediation" six months ago may still be open. Without active tracking, the POA&M becomes a historical document rather than an accurate current-state view.
- ATO package prep is painful. When an assessment is coming, pulling together a current, accurate POA&M from scattered sources under time pressure is where hours disappear.
For a program with a large or complex system, maintaining a manual POA&M honestly takes significant recurring staff time, time that skilled security personnel should be spending on actual security work, not spreadsheet maintenance.
What POA&M automation actually looks like
Automation doesn't mean the POA&M manages itself. It means the system handles the data ingestion, correlation, and tracking work that humans shouldn't be doing manually.
A well-designed POA&M automation tool does several things:
Ingests findings from your scan sources
Rather than exporting a SCAP results file and manually reviewing it, the tool ingests the output directly, XCCDF results, CKL files, STIG Viewer exports, and maps those findings to existing POA&M items automatically. New findings get created. Remediated findings get flagged for review. The delta between two scan runs becomes visible without a manual diff.
Tracks findings across STIG version changes
When DISA releases an updated STIG, Vulnerability IDs and rule content can change. Good automation handles that mapping so a finding doesn't get orphaned or duplicated because the ID changed in the new version.
Maintains milestone and ownership tracking
Each POA&M item needs a responsible owner, a scheduled completion date, and a current status. The tool keeps those fields current, surfaces items that are approaching or past their milestone dates, and gives the ISSO a single view of the program's remediation posture without manual assembly.
Generates compliant output
The output the AO actually needs, a POA&M document in the required format, should be a one-click export, not a multi-hour formatting exercise. The data is already in the system; the tool just needs to render it correctly.
The STIG scanning connection
POA&M automation and STIG compliance tracking are two sides of the same problem. Every open STIG finding is a potential POA&M item. Every closed finding needs to be traceable back to a STIG check with evidence.
Programs that try to manage these separately, STIG checklists in one place, POA&M in another, create a reconciliation burden that compounds over time. The most efficient approach is a unified system where STIG status directly drives POA&M state: an open CAT I automatically surfaces as a high-priority POA&M item, and when the STIG check is marked compliant with evidence, the POA&M item closes with traceability intact.
This integration also matters for continuous monitoring. Under RMF, ATOs aren't one-time events, they require ongoing monitoring and periodic reassessment. A system that keeps STIG status and POA&M state synchronized gives the ISSO a real-time view of authorization posture rather than a point-in-time snapshot that goes stale between assessments.
What to look for in a POA&M tool
If you're evaluating tools for your program, here are the questions that actually matter:
- Does it ingest native scan formats? XCCDF results, CKL files, and common vulnerability scanner outputs should be importable without manual transformation.
- Does it handle STIG versioning? DISA updates STIGs frequently. The tool should manage version transitions without breaking your historical finding data.
- Can it operate in your environment? If you're working in a classified or air-gapped environment, a cloud-only SaaS tool won't work. You need something that can be deployed on-premise or in a government cloud environment.
- Does it produce compliant output? The POA&M format expected by your AO matters. The tool should output in a format your assessors will accept without reformatting.
- Who owns the data? For CUI-handling programs, you need clarity on where your finding data lives and who can access it.
- Does it track inherited controls? Knowing which findings are your responsibility vs. inherited from the enclave or CSP layer is essential for accurate risk representation.
How CertiField approaches this
We built CertiField because we ran into these problems on our own programs and couldn't find a tool that addressed them well for small-to-mid-size DoD software teams.
CertiField handles STIG checklist management, vulnerability tracking, and POA&M workflows in a single platform, designed for teams that need to maintain RMF compliance without dedicating a full-time resource to spreadsheet management. It ingests scan results, tracks finding state across STIG versions, manages milestones and ownership, and generates the output your assessors need.
It's also designed to run in the environments where DoD programs actually operate, including Azure Government and air-gapped deployments, because a compliance tool that can only run in a commercial cloud environment isn't useful for a significant portion of the programs that need it most.
We use CertiField on our own systems. Alethia is CMMC 2.0 Level 2 compliant, and CertiField is part of how we maintain that posture. We built it to solve a real problem we had, not as a theoretical product.
Bottom line
POA&M automation isn't about making compliance easier to fake, it's about making accurate, current compliance status easy to maintain. The programs that run into problems at assessment time are usually the ones where the POA&M stopped reflecting reality months before the assessors showed up.
If your program is managing STIGs and POA&Ms manually, the question isn't whether automation would save time, it's whether the current approach is sustainable as your system grows and your assessment frequency increases.
See CertiField in action
CertiField is Alethia's STIG compliance tracking and POA&M automation platform, built for DoD programs, deployable in classified and unclassified environments.
Visit CertiField Talk to Our Team