Which references support CA-5 Plan of Action and Milestones?

CA-5 is about creating and maintaining a Plan of Action and Milestones to remediate security weaknesses and track progress toward a secure state. The strongest pairing for this control comes from policy and RMF guidance that directly address documenting remediation steps and reporting progress. OMB Memorandum M-02-01 requires agencies to implement an information security program with a documented POA&M and to report remediation status and milestones to oversight authorities. NIST SP 800-37 provides the Risk Management Framework and explicitly covers CA-5, detailing how organizations prepare, maintain, and update POA&Ms as part of continuous authorization and risk management. Together, these sources establish both the governance (policy) and the practical framework (RMF) for Plan of Action and Milestones. The other references don’t directly establish the CA-5 POA&M process in the same authoritative way. Contingency planning guidance, general security planning documents, or other policy materials may touch security planning, but they do not provide the specific POA&M requirements and reporting emphasis that CA-5 relies on.