Which artifact documents the planned actions to address weaknesses and current remediation status?

In RMF practice, the artifact that captures what needs to be done to fix weaknesses and tracks how those fixes are progressing is the Plan of Actions and Milestones. The POA&M specifically lists identified weaknesses or findings, the recommended or planned corrective actions, who is responsible, the resources required, the milestones or deadlines, and the current remediation status. This makes it the go-to document for monitoring progress, prioritizing efforts, and informing authorization decisions as vulnerabilities are addressed over time. The System Security Plan describes how the system is designed and secured, including system boundaries and how controls are implemented, but it doesn’t lay out remediation actions in a milestone-focused way. The risk register tracks risk levels and sometimes treatment options, but it isn’t the primary artifact for detailing concrete remediation steps and their status. The system requirements specification is about what the system must do and how it interfaces, not about addressing weaknesses.