The first thing you need to do is identify a POA&M ID numbering system. You want to keep track of all your POA&M objectives by identifying them by a unique number or identifier. You want to identify what Control is associated with it so that you know what your goal is and what control you are addressing. You want to describe the weakness or issue and also note how you discovered the weakness, what was the source that notified you about the issue. What asset is affected by this weakness, exploit or vulnerability, you should identify it by its unique identifier, which should also be in your SSP documentation. You need to identify the person responsible for fixing the weakness, and who might also be required for fixing it, as it may be a different person. You need to identify when you detected the issue when you plan on fixing it and also have an overall status indicator of all your completion dates or projected completion dates. You can also track other various items in your POA&M that revolve around dates, approvers, comments, and documentation that might be relevant to the issue.
Some POA&M’s include risk ratings and dependencies that might exist that addressing the control might include. You can keep the POA&M shortened to relevant information that you have available. A Managed Security Service Provider can assist with this project and ensure all your bases are covered.