Office of the Chief Information Officer

United States Department of Agriculture

Departmental Regulation 3565-003

Office of the Chief Information Officer

Plan of Action and Milestones Policy


a. This Departmental Regulation (DR) establishes the policy of the United States Department of Agriculture (USDA) for identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security vulnerabilities found in USDA programs, applications and systems. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Revision 1, Guide for Conducting Risk Assessments, defines vulnerability as a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

b. A plan of action and milestones (POA&M), also referred to as a corrective action plan, is a tool that identifies tasks that need to be accomplished to remediate security vulnerabilities. The goal of a POA&M should be to reduce the risk of the vulnerability identified. 2 c. This policy adheres to the guidance identified in the NIST (SP) 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.


This DR applies to all USDA Information Technology (IT) systems owned, operated, or maintained by, for, or on behalf of USDA. This includes contractor and cloud systems. This DR also applies to IT programs that provide security controls for use (inheritance) by any USDA IT system.