LPDP vs Security Requirement Re-evaluation vs POA&M: A Complete Map

A NOT MET finding has three possible fates in CMMC. Walk into a post-assessment conversation and you’ll hear all three terms inside ten minutes. None of the people using them will define them the same way.

That conflation is understandable. The mechanisms have similar timing shapes, similar eligibility flavors, and they all sit downstream of the same trigger, a control that an assessor scored NOT MET. The legal consequences diverge anyway. So do the deadlines. So does the set of requirements each mechanism can absorb. The rule is precise where the practitioner conversation is loose, and the looseness costs people contracts when a finding gets routed to the wrong path.

This piece names the three mechanisms by their regulatory terms, anchors each one to 32 CFR Part 170, and walks the decision logic an OSC and their RPO actually face when a finding lands.

Mechanism One. Security Requirement Re-evaluation

This is the term the rule uses. It appears at 32 CFR § 170.17(c)(2) for Level 2 and at § 170.18(c)(2) for Level 3. Both sections describe the same shape with the same window. After an assessment marks a security requirement NOT MET, the contractor has up to 10 business days following the conclusion of the active assessment period to provide additional evidence and have that specific requirement re-evaluated. The re-evaluation is bounded. It applies only to the requirements the C3PAO flagged, and only within the window the regulation defines.

The conditions for re-evaluation are not unlimited. The contractor has to have the missing evidence within reach. The C3PAO has to be willing to receive and evaluate it. The requirement has to be one where a clarifying artifact or corrected statement plausibly closes the gap, not one where the control simply doesn’t exist in the environment. A NOT MET finding because an artifact was missing from the package is a candidate for re-evaluation. A NOT MET finding because the contractor never deployed the control in the first place is not.

Most C3PAOs treat re-evaluation as the first option for any salvageable NOT MET finding. If the contractor can produce the missing evidence inside the 10-business-day window, the finding gets re-scored MET and never moves to the next mechanism. That sequencing matters. Re-evaluation, when it succeeds, eliminates the need for everything that follows.

Mechanism Two. The Limited Practice Deficiency Program

Read the regulation cover to cover and you will not find this phrase. “Limited Practice Deficiency Program” and its initialism “LPDP” are industry vocabulary. They show up in training materials, in C3PAO marketing, in community forums, in conference panels. They do not appear in 32 CFR Part 170.

In practice, when a practitioner says LPDP, they almost always mean the security requirement re-evaluation mechanism described above. The shorthand traveled faster than the rule’s vocabulary did, and it stuck. There’s no harm in using LPDP in a conversation where everyone in the room is talking about the same thing. There is harm when the conversation moves to the assessment record, to a CCB conversation, to a contract dispute, or to a discussion about eligibility, because the record needs to name the mechanism the rule recognizes.

The position worth holding is narrow. LPDP is a useful conversational handle. Security requirement re-evaluation is the term that survives outside a conversation. If a draft, a deliverable, a written deficiency response, or a tracker says LPDP, it is borrowing a label the rule does not assign. The fix is not to argue with the shorthand. The fix is to name the regulatory mechanism alongside it when the artifact will be read by someone making an eligibility decision.

Mechanism Three. POA&M

Plan of Action and Milestones is the formal regulatory mechanism for NOT MET requirements that survive past re-evaluation. It is defined at 32 CFR § 170.21. The timing is different from re-evaluation. The eligibility is different. The consequence of failure is different.

The clock. A POA&M item must close within 180 days of the Conditional CMMC Status date. If it doesn’t close in time, the Conditional status lapses and the contractor needs a new assessment to regain certification. The 180 days is not negotiable, and the regulation does not provide an extension mechanism.

The eligibility. POA&M placement is generally limited to 1-point requirements per § 170.21(a)(2)(ii), with one explicit carve-out in the regulation: SC.L2-3.13.11 (CUI Encryption) may sit on a POA&M at 3 points when encryption is employed but is not FIPS-validated. The CMMC scoring methodology assigns 5-point, 3-point, and 1-point values to NIST 800-171 requirements based on the security impact of each. With the SC.L2-3.13.11 exception, a NOT MET finding on a 5-point or 3-point requirement cannot ride a POA&M. The contractor either closes the gap before assessment, fixes it during the re-evaluation window, or fails the assessment.

Multi-factor authentication (IA.L2-3.5.3) is the canonical illustration of why the point-cap rule and the partial-credit rule are separate mechanisms. MFA is one of two partial-credit requirements the methodology recognizes (the other is SC.L2-3.13.11) — per § 170.24(c)(2)(i)(B)(4)(i), implementing MFA for remote and privileged users only scores -3, and not implementing it at all scores -5. MFA never sits at a flat 1-point value. Even partial implementation puts MFA above the cap, and unlike SC.L2-3.13.11 MFA receives no explicit carve-out in § 170.21(a)(2)(ii). MFA must therefore be fully MET at the time of assessment. The two partial-credit twins behave differently because of the carve-out, not because of the scoring.

The exclusions. Separate from the point-cap rule, § 170.21(a)(2)(iii) lists specific requirements that cannot ride a POA&M regardless of score. The list includes System Security Plan (CA.L2-3.12.4), External Connections (AC.L2-3.1.20), Public Information control (AC.L2-3.1.22), and three Physical Protection items (PE.L2-3.10.3, .4, .5). These are required to be MET at the time of assessment. The (a)(2)(iii) exclusion mechanism and the (a)(2)(ii) point cap are distinct paths to the same outcome, and conflating them is one of the more consistent sources of confusion in pre-assessment readiness work.

A POA&M is not a soft landing. It is a conditional path with a hard deadline and a narrow set of allowable items. Treat it as a safety net for a small number of genuine remaining gaps, never as a planning input.

The Decision Logic

A NOT MET finding triggers a sequence, not a menu.

Question one. Is the active assessment period still open? If the assessor is still onsite or the formal assessment window has not closed, the contractor can supply additional evidence or corrected artifacts and have the requirement re-scored within the assessment itself. No external mechanism is invoked. This is the cleanest outcome and the one most often available when the NOT MET is documentation-shaped.

Question two. Has the active assessment period concluded? If yes, security requirement re-evaluation under § 170.17(c)(2) or § 170.18(c)(2) becomes the relevant mechanism, with a 10-business-day window from the conclusion of the active assessment period. The C3PAO decides whether the requirement is a candidate for re-evaluation and whether the supplied evidence closes the gap. If the re-evaluation succeeds, the finding becomes MET and no further mechanism is needed.

Question three. Did re-evaluation fail or wasn’t available? Now POA&M eligibility matters. If the requirement is a 1-point item and is not on the § 170.21(a)(2)(iii) exclusion list, the finding can move to a POA&M and the contractor receives a Conditional CMMC Status with a 180-day closure window. If the requirement is a 5-point or 3-point item, or sits on the exclusion list, POA&M is not available and the assessment outcome is a failure to certify.

A natural question. Are re-evaluation and POA&M placement mutually exclusive? The regulation doesn’t say so explicitly. In practice, most C3PAOs treat re-evaluation as the first action for any salvageable NOT MET finding, and POA&M placement is reserved for items that re-evaluation cannot close. That sequencing is not legally required. It is the sequencing the assessment record makes the most defensible. We’ve seen contractors try to skip re-evaluation and jump to POA&M placement because the deadline math looks easier, and they end up with a Conditional status that could have been a Final status if the evidence had moved 10 business days earlier.

What This Means In Practice

For the OSC, the discipline at the moment of finding is to ask the assessor the right question and to use the right term. “Is this a re-evaluation candidate?” is the question. “Are we going to LPDP this?” sounds the same in the room and is not the same on paper.

The OSC’s other job is to be ready inside the 10-business-day window. Re-evaluation only works if the missing evidence exists somewhere in the environment and can be packaged, transmitted, and reviewed before the window closes. Practically, that means the SSP, the policy library, the configuration baselines, and the evidence repository need to be in a state where the team can pull a corrected artifact in hours, not weeks. We’ve watched contractors lose re-evaluation eligibility because the artifact existed but was buried in a shared drive that no one had searched in months. The mechanism didn’t fail. The retrieval did.

For the RPO advising them, the discipline is to set expectations in the regulatory vocabulary before assessment week, not after. If an RPO has been using “LPDP” with a client for six months, the moment a finding lands is too late to introduce the term “security requirement re-evaluation” for the first time. The terminology gap becomes a credibility gap exactly when the client most needs the advisor to sound like they understand the rule.

For both, the POA&M question gets answered upstream of the assessment, not at the moment of finding. The list of POA&M-eligible requirements and the § 170.21(a)(2)(iii) exclusions are knowable months in advance. Any finding that lands on a 5-point requirement or on the exclusion list is a finding the team should have closed before the C3PAO arrived. POA&M is a safety net for a narrow slice of genuine remaining gaps. It is not a planning mechanism, and treating it as one inverts the order of effort that actually produces a Final certification.

There’s a second-order effect worth naming. When a team plans around POA&M availability, the readiness work tilts toward documentation that justifies deferral rather than toward implementation that closes gaps. That tilt is invisible in the run-up to assessment and obvious on assessment day, because the assessor evaluates the implementation, not the deferral plan. We’ve watched teams arrive at assessment confident that a long list of items can ride on a POA&M, only to discover that several of those items are on the exclusion list or score above 1 point, and the entire deferral strategy collapses in a single afternoon.

The Close

The shorthand isn’t the problem. The collapse is.

When a practitioner says LPDP and means security requirement re-evaluation, no one is harmed in the conversation. When a deliverable says LPDP and the recipient reads it as a different mechanism, or when an OSC plans an assessment strategy around LPDP without knowing that re-evaluation requires the missing evidence to exist within 10 business days, or when a team treats POA&M and re-evaluation as interchangeable safety valves and discovers at the moment of finding that the requirement is on the § 170.21(a)(2)(iii) exclusion list, the cost lands on the contract.

Use the term the rule uses when the artifact will be read by someone making an eligibility decision. Keep the shorthand for the conversation in the room. Know which mechanism applies before the finding lands, not after.

For deeper detail on the POA&M mechanism alone, see the POA&M template companion piece. For the failed-assessment scenario when no mechanism rescues the finding, see what happens if you fail your CMMC assessment. For broader assessment preparation, see how to prepare for your CMMC assessment and the comparison of self-assessment versus C3PAO paths. For the full control surface that determines which findings even become possible, see the 110 controls that decide your future.