Plan of Action & Milestones (POAM)

Track open security findings to closure with milestone-based remediation, in the OMB A-130 / DoD eMASS format required for federal authorization packages and FISMA reporting.

What POAMs Are For

A POAM (sometimes "POA&M") is a federal artifact that documents every open weakness in a system, the plan to fix it, who owns it, what it costs, and when it will be done. They're required for:

NIST RMF Authorization to Operate (ATO) — included in every authorization package as ongoing risk acceptance evidence.
FISMA annual reporting — agencies report POAM aging metrics to OMB.
DoD eMASS — DoD systems use POAMs as the system of record for vulnerability tracking against STIG findings.
StateRAMP / FedRAMP — required ongoing artifact between annual assessments.

Where to Find It

In TATER, navigate to Governance & Risk → POAM. The list page shows all POAM items with status, scheduled completion, asset, impact, and source.

POAM Lifecycle

Open — newly identified weakness; planning underway.
In Progress — remediation work is active.
Completed — weakness closed; supporting evidence captured.
Risk Accepted — formal acceptance recorded; tied to a Risk Register entry or Exception.
False Positive — finding determined not to apply (with justification).

An Overdue indicator appears automatically when an open item passes its scheduled completion date — there's no separate Overdue status, the system computes it from the date.

Creating POAM Items

Manual Entry

Click + New POAM and fill in:

Title (required) — concise weakness summary, e.g. "MFA not enforced for Global Admins".
Weakness Description (required) — detailed finding, including evidence and scope.
Impact — High / Moderate / Low (per FIPS 199 system categorization).
Status — start at Open for new findings.
Scheduled Completion — target remediation date. Drives overdue computation and calendar events.
Resources Required — labor hours and dollars needed (e.g., "120 hours / $18,000").
Point of Contact / Office — who owns the remediation.
Asset / Component — system or component affected.
Detection Source — e.g., "TATER Scan", "DISA STIG Viewer", "SCC", "Audit finding".
Framework / Control ID — link to the NIST 800-53 control or STIG rule (e.g., AC-2, V-220706).
Milestones — interim checkpoints with due dates and completion checkboxes.

Auto-Populate from Existing Data

The Auto-Populate button creates draft POAM items from three sources, with deduplication by source ID so re-running is safe:

Failing controls — every control with status Fail in the most recent scan generates a POAM. Impact is derived from control severity.
Open exceptions — every active Exception becomes a POAM, with status set to Risk Accepted if the exception was approved.
High-severity risks — every Risk Register entry with score ≥ 15 (out of 25 on the 5×5 matrix) generates a POAM.

Auto-populated items show their Source in the list table and link back to the originating record on the detail page.

Cross-Feature Integration

Risk Register / Exceptions — POAMs created from these sources carry riskId / exceptionId back-pointers; the detail panel surfaces "View Linked Exception/Risk" links.
Dashboard Needs Attention strip — overdue POAMs surface as a clickable strip item.
GRC Calendar — every POAM with a scheduled completion appears in the calendar; overdue items are color-coded red.
RMF Authorize step — the RMF tracker (when configured) blocks the Authorize transition if any High-impact POAM is overdue.

OMB / eMASS Excel Export

Click Export Excel to download an .xlsx in the OMB A-130 / DoD eMASS column layout:

POAM ID, Weakness Description, Source Identifying Vulnerability, Severity, Resources Required, Scheduled Completion Date, Milestones, Status, Comments, etc.

You can submit this directly to your authorizing official or paste rows into eMASS. If the server-side export fails for any reason, TATER falls back to a simplified CSV export client-side.

API & MCP Access

POAM items are accessible via:

HTTP API — GET /api/poam, GET /api/poam/:id, POST /api/poam, PATCH /api/poam/:id, DELETE /api/poam/:id, POST /api/poam/auto-populate, GET /api/poam/export.
MCP — agentic clients (Claude, Microsoft Copilot) can list and create POAM items via the same backend; future MCP tool additions will expose list_poams and create_poam directly.

NIST RMF 6-Step Tracker

The companion RMF Tracker module sits next to POAM in the Governance & Risk navigation group. Each authorized system advances through the NIST RMF lifecycle:

Categorize — FIPS 199 impact determination (Confidentiality / Integrity / Availability, with overall = highest of the three)
Select — control baseline selection (NIST 800-53 Rev 5 Low / Moderate / High; FedRAMP equivalents)
Implement — System Security Plan authoring (see SSP section below)
Assess — Security Assessment Plan / Report (SAP / SAR)
Authorize — Authorization package + POA&M review (open POAMs surface here)
Monitor — Continuous monitoring; ATO expiry tracking

The detail page renders all 6 steps as a horizontal stepper with per-step completion dates, current-step highlighting, and pending/complete state. Advancing currentStep via the modal automatically backfills stepCompletedDates for any intermediate steps. ATO grant date and expiry date are tracked at the system level; status auto-flips to Expired when atoExpiryDate passes.

API endpoints: GET/POST/PATCH/DELETE /api/rmf + GET/POST/DELETE /api/rmf/:id/artifacts for artifact references per step. The full data model is in api/src/functions/rmf.ts.

SSP Generator (System Security Plan)

SSPs are the primary ATO authorization artifact. The TATER SSP Generator handles the document-level lifecycle plus per-control implementation statements with two export formats:

OSCAL JSON export — GET /api/ssp/:id/export?format=oscal. Validates against the OSCAL 1.1 system-security-plan schema. Drop directly into eMASS or any OSCAL-aware tool.
Word .docx export — GET /api/ssp/:id/export?format=docx. Federal document formatting via the docx npm package. Hand directly to authorizing officials who prefer Word.

Framework baselines available: NIST 800-53 Rev 5 (Low / Moderate / High) and FedRAMP (Low / Moderate / High). Bidirectional linking with RMF: setting rmfSystemId on an SSP automatically writes sspId back onto the linked RMF system record (read-modify-write at the API layer).

Per-control implementation statements have endpoints (GET/PUT /api/ssp/:id/statements/:controlId) and an AI-assisted drafting endpoint (POST /api/ssp/:id/statements/:controlId/ai-draft). The full per-control statement editor UI is a deferred follow-on; basic SSP CRUD provides metadata management and exports today.

Troubleshooting

Auto-populate created nothing — every source already has a POAM (the dedup is by sourceId). Check the existing list with Source column visible.
Excel export returns CSV instead — server-side exceljs failed; the CSV fallback is intentional. Check the API logs in App Insights for the underlying error.
Linked Exception/Risk says "View →" but doesn't filter — auto-populate sets the link IDs but the destination pages don't yet filter by them. Use search on the destination page to find the linked record by ID.