Plan of Actions and Gravestones

Cybersecurity Awareness Month 2025 Blog Post – Theme by Michael Lozoya

If your organization treats the Plan of Actions and Milestones (POA&M) as a “set it and forget it” compliance artifact, beware: you may already be building a graveyard of unaddressed vulnerabilities.

A POA&M isn’t meant to gather cobwebs. It’s the living record of how you identify, track, and remediate risks in your environment. But too often, it becomes a list of “gravestones”—forgotten issues that were never resolved, never prioritized, and never closed.

Here are three ways to make sure your POA&M doesn’t turn into a cybersecurity cemetery:

1. Keep It Alive – Update regularly. A stale POA&M signals leadership that security isn’t being taken seriously. Continuous monitoring means continuous updates.
2. Prioritize the Tombstones – Not all findings are equal. Address the “critical” headstones first and create a clear timeline for remediation. Show leadership were investment matters most.
3. Celebrate the Ghosts That Move On – Closing out items shouldn’t be buried in paperwork. Documenting completed milestones shows progress and builds confidence with auditors, executives, and mission partners.

A POA&M should tell a story of resilience, not neglect. It’s a roadmap out of the graveyard—not a list of forgotten ghosts.

👉 This October, as we embrace the spirit of Cybersecurity Awareness Month, take a hard look at your POA&M. Are you breathing life into your risk management practices—or leaving vulnerabilities six feet under?