If a POAM is 90 days overdue, whom should you report this to?

Reporting a 90-day overdue POAM centers on accountability for a system’s security posture. The system owner, who is responsible for the operation and security of the system, and the Information System Security Officer (ISSO), who oversees security controls and compliance, are the right people to escalate and drive remediation. They have the authority to assign resources, track progress, and ensure that each corrective action is completed and documented within the risk management and continuous monitoring framework. Escalating to the auditor isn’t about daily remediation authority, and the CIO is a higher-level executive who may need to be informed in significant cases but isn’t the immediate owner of the remediation tasks. The help desk handles user support and routine IT issues, not security control remediation.