FedRAMP®

The POA&M Problem: Why FedRAMP’s Risk Management Needs Disruption, Not a Revision

Adam Shnider jpg

Adam Shnider

EVP, Assessment Services, Coalfire

August 28, 2025
Adam Shnider Publication Blog

For years, Plans of Action and Milestones (POA&Ms) have been a staple of FedRAMP’s compliance approach. But what if the very tool designed to manage risk is now one of the biggest risks itself?

At the heart of the issue is a fundamental misalignment: POA&Ms, as explained in detail in Pete Waterman’s recent GitHub post “A POA&M for POA&Ms”, were born from resource and capital planning principles, to “correct any material weaknesses”. The Office of Management and Budget (OMB) defines a “material weakness” as a deficiency that could lead to a significant misstatement in financial reports. OMB extended this to cybersecurity—but the translation has been clumsy at best with less definition and open to agency interpretation where deficiencies in cybersecurity controls create a reasonable possibility that a material misstatement in financial reports, a significant operational failure, or a major non-compliance with laws and regulations will not be prevented or detected in a timely manner.

The Case for POA&M Disruption

The FSCAC’s August 2025 meeting could be a turning point in providing the FedRAMP PMO with insight into the challenge and drive real change to the POA&M standards or even redefine the requirement of focus on the FedRAMP Authorization Act to track risks. In preparation for the FSCAC meeting I met with over a dozen CSPs of all sizes and met with seasoned assessors and ConMon experts to ensure I had a broad sense of the challenge to answer the main questions being asked. The following highlights the questions asked of the FSCAC members and some of the feedback from the research performed. 

  1. What are the major pain points with the current POA&M implementation for CSPs and agencies?
    • CSPs: Excessive administrative burden, thresholds are too binary (quantity over risk), focus on vulnerability count over risk, duplication of effort with ConMon and POA&M, monthly communication is too frequent with limited value, difficulties with container reporting, inconsistent guidance and lack of automation, rigid Excel-based templates.
    • Agencies: Difficulty with risk adjustment, Lack of review/understanding of POA&M data, delayed information leading to outdated reports, and non-uniform standards for risk identification.
  2. What are the security gaps and increased risks (including missed opportunities) that result from the current model?
    • Diversion of critical security resources to low-value compliance tasks instead of high-impact activities like threat modeling and secure design.
    • Ineffective risk management due to a CVSS-driven model that lacks business context and real-world exploitability data, leading to misprioritization of threats and categorization of risk.  Current processes reward volume vs. true risk reduction and mitigation.
    • Limited visibility for agencies into the overall security posture beyond just vulnerability counts, missing crucial aspects like configuration management and software security.
  3. What are the benefits of the current model?
    • Functions as a reporting tool that aligns with some CSPs' internal processes.
    • Acts as a compliance enforcement mechanism, ensuring some adherence to remediation timelines.
    • Provides a structured record and tracking mechanism for vulnerability remediation efforts.

Based on the community feedback, it is clear they are calling for a radical shift—from compliance checklists to dynamic risk management. The final question was related to recommended changes that address the pain points and increase the benefits of the process.

Compliance Theater vs. Real Security

Cloud Service Providers (CSPs) are drowning in administrative overhead. The current POA&M model feels like it may be rewarding volume over value—counting vulnerabilities instead of contextualizing risk. Monthly reporting cycles churn out outdated data, while security teams are forced to prioritize spreadsheet hygiene over threat modeling and secure design.

Agencies, meanwhile, are left with a false sense of security. They receive rigid Excel templates filled with binary thresholds and vulnerability counts, but lack insight into exploitability, asset criticality, or environmental context. The result? Misprioritized threats, delayed remediation, and a growing gap between compliance and actual security.

RFC 0012: The Key to Disrupting POA&Ms is Getting Continuous Monitoring Right

FedRAMP’s RFC 0012 is a pivotal step toward transforming continuous monitoring (ConMon) from a data dump into a strategic asset. The current POA&M model often absorbs raw scan data without context, overwhelming agencies and obscuring real risk because it is so heavily focused on rigid timelines, vulnerability counts and non-contextual CVSS scores.

RFC 12 proposes a smarter approach: use continuous monitoring to classify risk based on exploitability, environmental context, and asset criticality. While the RFC was not perfect, it seems to acknowledge a shift from beyond CVSS scores and embracing dynamic, real-world indicators that could be accomplished with VEX and EPSS. When done right, ConMon becomes a more valuable threat indicator—not just an unvetted list of CVSS scores.

It is absolutely critical to get the new ConMon standards right in order to empower CSPs to prioritize remediation efforts based on actual threat potential, and give agencies a clearer picture of what truly matters. It’s not just about finding vulnerabilities—it’s about understanding which ones could actually hurt you.  This will make the real risks identified to be translated into POA&Ms to track “material weaknesses” not just a list of vulnerabilities as required in the original intent of the POA&M as it relates to cybersecurity.

Separate ConMon from POA&Ms: Stop the Chaos, Start the Clarity

One of the most dramatic recommendations from my preparation is to decouple continuous monitoring from POA&M reporting. Here’s why:

  • Not all scan data is risk: Just because a vulnerability shows up in a scan doesn’t mean it belongs on a POA&M. Including too much information creates noise, dilutes focus, and leads to poor decision-making.
  • POA&Ms should reflect real, contextualized risk: Only those findings from ConMon that meet a defined risk threshold—based on exploitability, exposure, and business impact—may need to be escalated to POA&M status.
  • Agencies need clarity, not clutter: When POA&Ms are bloated with low-priority low-risk (contextually) findings, agencies struggle to identify what truly matters. A streamlined POA&M process focused on real risk enables faster, smarter decisions.

This separation allows ConMon to serve its purpose—continuous visibility—while POA&Ms become a targeted tool for managing and mitigating significant risks.

A POA&M for POA&Ms

The irony is rich: we need a POA&M to fix POA&Ms. But this isn’t just about tweaking templates or updating guidance. It’s about reimagining how we define, manage, and communicate risk in a cloud-first world.

FedRAMP has the opportunity to lead—not just in compliance, but in real cybersecurity.