The Federal Information Security Management Act (FISMA) requires every Federal department and agency develop and implement a POA&M process and to periodically report progress to OMB and Congress.
The weakness description should always be consistent with the results of the assessment. POA&M weaknesses should provide sufficient information to facilitate oversight and progress tracking. Each weakness should be associated with a security boundary, security control or program.
Each POA&M should include an estimate of the cost to remediate. The identification of adequate resources and funding to resolve weaknesses is critical in prioritization for decision makers such as system owners and authorizing officials. Updating POA&M costs/resources is an essential part of continuous monitoring.
It is imperative that during continuous monitoring the point of contact (POC) assigned to the POA&M is regularly checked to see if the POC is still valid and capable of resolving the POA&M. If there is a delay, there needs to be justification. However, if a POA&M cannot be remediated, then a risk based decision memo would need to be drafted and signed by decision makers.