NIST 800-53 r5 · Controls catalogue · Family PM
PM-4Plan of Action and Milestones Process
Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are developed and maintained; Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with established reporting requirements. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | POA&M process requires documented remedial actions and tracking for identified access control deficiencies until resolved per risk priorities. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Drives systematic identification, documentation, and closure of incorrect critical-resource permission assignments through tracked milestones. |
CWE-285 | Improper Authorization | 1,230 | Ensures authorization weaknesses discovered via assessments are captured with concrete remediation plans aligned to organizational risk strategy. |
CWE-693 | Protection Mechanism Failure | 476 | Requires ongoing maintenance of plans to repair or replace failed or inadequate protection mechanisms before they can be exploited at scale. |
CWE-657 | Violation of Secure Design Principles | 19 | Mandates a repeatable, risk-aligned process for planning and executing security improvements, directly countering ad-hoc or absent secure management practices. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||