A formal document that identifies gaps or deficiencies in an organization’s cybersecurity posture and lays out a roadmap to remediate them. A POA&M typically includes the specific control not met, the planned corrective actions, responsible parties, required resources, and a timeline for completion. Under CMMC, POA&Ms can be used in limited circumstances, but unresolved gaps must be closed before certification is awarded.