The process to mitigate risks and weaknesses in CMS systems is called a Plan of Action and Milestones (POA&M). A POA&M is created whenever audits reveal an area of weakness in security controls. This is an opportunity to strengthen or “harden” your system through carefully planned improvements – which boosts the overall resilience of our agency’s cyber infrastructure. The CMS security staff and your integrated team are ready to help you along the way.

This video is a quick and entertaining way to learn all about POA&Ms and how they are used at CMS.

More guidance about POA&M at CMS is available here.

If you have questions, contact the CISO Team (CISO@cms.hhs.gov), or ask a Cyber Risk Advisor in CMS Slack (#cra-help).