A plan of action and milestones (POAM) is a document used to track progress. POAMs are used in many types of project management. A POAM is used to assign responsibility and to allow management to follow up:

• Assigning responsibility—The POAM makes it clear who is responsible for each task. When a task is not completed on schedule, it also makes clear whom to hold accountable.
• Management follow-up—PMs and upper-level management can use the POAM to follow up on a project. The POAM allows managers to quickly determine the status of any project. When project management tools are used, the source of the problem is often easy to identify.

POAMs are also useful for audited projects. For example, HIPAA requires regular reviews. The POAM can show the progress the company has made to become compliant. If a company is not 100 percent compliant but can show it has made significant progress, fines may be waived or reduced. If a company doesn’t have any documentation indicating progress, maximum fines could be assessed.

A POAM does not require a specific format. One company may create a POAM in a Microsoft Excel spreadsheet with 15 columns for every item. Another company may create a POAM in a Microsoft Word document.

The POAM is a living document. It is not a report that is created once and is complete. Instead, the POAM should be updated throughout the life cycle of a project. Additionally, the POAM may look different depending on the phase of the project. Early in the project, the POAM may be generic, but later in the project, it could be more specific.

For example, in the website risk management plan, the website has been attacked. It has suffered two major outages in the past two months. The cause of these two incidents is probably well known. However, all the threats and vulnerabilities are probably not known. The initial POAM might have the following generic items:

• Approve risk management plan: Assigned to ______ Due by ______
• Identify threats: Assigned to ______ Due by ______
• Identify vulnerabilities: Assigned to ______ Due by ______
• Identify potential solutions: Assigned to ______ Due by ______
• Prepare risk management plan report: Assigned to ______ Due by ______
• Approve risk response plan: Assigned to ______ Due by ______
• Begin implementation of plan: Assigned to ______ Due by ______
• Complete implementation of plan: Assigned to ______ Due by ______

Later, when management approves the specific recommendations, a POAM can be created for the approved and modified recommendations. Each recommendation within the POAM could have multiple line items. For example, the task of upgrading the firewall could be a major milestone. When all of the tasks have been completed, the milestone is met.

• Log current firewall activity: Assigned to ______ Due by ______
• Purchase two SS75 firewalls: Assigned to ______ Due by ______
• Create firewall policy: Assigned to ______ Due by ______
• Test firewalls: Assigned to ______ Due by ______
• Implement external firewall: Assigned to ______ Due by ______
• Implement internal firewall: Assigned to ______ Due by ______
• Move web server to DMZ: Assigned to ______ Due by ______

Each line item could include the following details:

• Task name
• Associated threat or vulnerability
• Risk level (low, medium, or high)
• Step or milestone name
• Assignment of responsibility
• Point of contact
• Estimated cost
• Actual cost
• Estimated person-hours to complete task
• Actual person-hours to complete task
• Scheduled start date
• Actual start date
• Milestone due date
• Current status
• Scheduled completion date
• Actual date of completion
• Comments

Different tools can be used to assist in tracking the POAM. These tools don’t replace the POAM but instead provide graphic representations of the POAM and its progress. These tools include:

• Milestone plan chart
• Gantt chart
• Critical path chart