Which references support CA-5 Plan of Action and Milestones?

Plan of Action and Milestones is the process for documenting planned remediation steps and tracking progress to fix security weaknesses. In federal practice, one source provides the policy requirement to maintain and report these remediation activities, while the other provides the practical method for implementing them within the risk management framework. The OMB memorandum sets the policy that agencies must maintain POA&Ms and report status, ensuring accountability and oversight. The NIST SP 800-37 guide then defines CA-5 and shows how to develop, manage, and monitor a POA&M as part of the security assessment and authorization lifecycle. Put together, these references give both the mandate and the concrete process for CA-5. Other references focus on related but different areas (like contingency planning or general information resources management) and do not address the POA&M process.