A Plan of Action and Milestones is your structured plan for closing security requirements that aren’t fully implemented at the time of your CMMC assessment. It’s not a parking lot for controls you haven’t gotten to. It’s a time-bound remediation commitment with real consequences if you don’t follow through.
Under CMMC, POA&Ms are allowed for some requirements, prohibited for others, and constrained by a 180-day closure window. Understanding how POA&Ms work, what goes into them, and how to manage closure is critical for any contractor pursuing Level 2 certification.
When POA&Ms Apply
A POA&M comes into play when your assessment identifies security requirements that are NOT MET. Instead of failing the assessment outright, CMMC allows certain NOT MET requirements to be documented in a POA&M with a plan for remediation.
The result is a Conditional certification status. Conditional Level 2 means the organization met enough requirements to pass the minimum threshold but has open items that must be resolved.
The threshold: CMMC Level 2 uses a 110-point weighted scoring methodology. Both basic and derived requirements can carry 5-point or 3-point values depending on their effect, with all remaining derived requirements carrying 1-point values. Conditional status requires achieving at least 80% of the maximum score, with only permissible NOT MET requirements on the POA&M. You can’t receive Conditional status if non-eligible requirements are NOT MET.
The clock: All POA&M items must be closed within 180 days of the Conditional CMMC Status date. If you don’t close them in time, your Conditional status expires. You would need to undergo a new assessment.
The restriction: Not all requirements are POA&M-eligible. The DoD has designated specific requirements that must be fully implemented at the time of assessment. If any of these non-POA&M-eligible requirements are NOT MET, you don’t receive even Conditional status, regardless of your score on everything else.
What Your POA&M Must Include
A CMMC POA&M isn’t a generic risk register or a vague list of things to fix. It’s a structured document with specific required elements for each open item.
For each NOT MET requirement on the POA&M:
- Security requirement identifier. The specific NIST 800-171 requirement number and name (e.g., AC.L2-3.1.1, Limit System Access).
- Description of the gap. What specifically is not met. Not “access control needs improvement.” Rather: “Conditional access policies are not enforced on mobile devices connecting to the CUI environment.”
- Assessment objectives affected. Which of the specific assessment objectives within this requirement are not satisfied.
- Remediation actions planned. The concrete steps that will close the gap. “Implement conditional access” is too vague. “Deploy Intune conditional access policies for mobile devices, configure device compliance requirements, test enforcement, and document the configuration” is actionable.
- Responsible party. The named individual or role accountable for completing the remediation.
- Resources required. Budget, tools, personnel, or vendor support needed to complete the work.
- Target completion date. Must fall within the 180-day window from the Conditional CMMC Status date.
- Current status. Tracking field for progress (not started, in progress, completed, verified).
POA&M-Eligible vs Non-Eligible Requirements
This distinction is one of the most consequential aspects of CMMC assessment planning.
Non-POA&M-eligible requirements must be fully implemented at assessment time. These are requirements the DoD has determined are too critical to defer. If any of these are NOT MET, the assessment doesn’t result in even Conditional status.
The specific list of non-eligible requirements and the assessment objectives that constitute mandatory pass criteria are defined in the CMMC assessment methodology. The count is significant. The majority of assessment objectives fall into the mandatory category, meaning the scope for POA&M deferral is narrower than many contractors expect.
POA&M-eligible requirements are those where a NOT MET finding can be placed on the POA&M without disqualifying the assessment. Even for eligible requirements, the finding still reduces your weighted score. If too many eligible requirements are NOT MET, your score drops below the passing threshold and POA&M availability doesn’t help.
The practical implication: Don’t plan your assessment strategy around maximizing POA&M usage. Plan it around having as few NOT MET requirements as possible. The POA&M is a safety net for genuine remaining gaps, not a shortcut.
The 180-Day Closure Process
When you receive a Conditional CMMC Status, the clock starts. Here’s how closure works.
Days 1-30: Confirm your remediation plan. Review each POA&M item. Verify the remediation actions are still accurate. Confirm resource availability. Assign deadlines within the 180-day window, leaving buffer for testing and verification.
Days 30-150: Execute remediation. Implement the planned actions. Configure the tools. Update the policies. Collect the evidence. Don’t wait until day 160 to start.
Days 150-170: Verify and document. For each closed item, verify the control is implemented and working. Collect fresh evidence. Update the SSP to reflect the new implementation. Ensure consistency between the POA&M closure documentation and the SSP.
Days 170-180: POA&M closeout assessment. The closeout assessment evaluates only the NOT MET requirements that were on the POA&M, not the full 110 requirements again. For Level 2 C3PAO certification, the C3PAO conducts the closeout assessment. For Level 2 self-assessment, the organization conducts its own closeout. The assessor won’t re-evaluate requirements that were already MET.
If the closeout succeeds: Your status moves from Conditional to Final. Final Level 2 status is valid for three years with annual affirmation.
If the closeout fails or the 180 days expire: Your Conditional status lapses. You would need to pursue a new full assessment to achieve certification.
Need help tracking your POA&M items against the 180-day clock? Start with a free readiness check to identify which requirements are POA&M-eligible and which must be MET at assessment time.
Managing POA&M as a Living Document
A POA&M isn’t something you write once and revisit at day 170. Effective POA&M management requires active tracking.
Weekly status reviews. Check progress against each remediation item. Surface blockers early. Adjust timelines if dependencies shift. The worst outcome is discovering on day 160 that a procurement cycle delayed a tool deployment and you can’t close the item in time.
Evidence collection during remediation. As you implement each fix, capture the evidence immediately. Don’t wait until the closeout assessment to gather proof. The configuration screenshot, the policy update, the training record, capture it when the work happens.
SSP updates in parallel. Every POA&M item that gets closed changes something in your environment. That change must be reflected in your SSP. If you close a POA&M item by deploying MFA on mobile devices, your SSP’s access control section needs to describe that implementation. Keep the SSP current as remediation progresses, not as a batch update at the end.
Stakeholder communication. If your remediation depends on your MSP deploying a configuration, on procurement approving a purchase, or on a vendor delivering a tool, those stakeholders need to know the 180-day timeline. The deadline isn’t flexible.
Common POA&M Mistakes
Assuming everything is POA&M-eligible. It’s not. A significant number of assessment objectives are mandatory pass. If you assume you can defer a critical requirement and it turns out to be non-eligible, the assessment fails.
What happens when a remediation description just says “fix access control”? It’s not actionable. The POA&M needs specific actions, specific systems, and specific evidence that will demonstrate closure. Vague items lead to vague remediation that doesn’t survive the closeout assessment.
Setting unrealistic timelines. Procurement cycles, configuration complexity, and testing periods take real time. Setting a 30-day target for a remediation that requires procuring and deploying a new tool is setting yourself up for a missed deadline.
Item A requires a tool that item B also needs. Item C requires a policy that hasn’t been written yet. POA&M items often have dependencies, both on each other and on external factors. Failing to track these dependencies means remediation stalls in ways that aren’t visible until deadlines approach. Map the dependencies and sequence accordingly.
Treating the POA&M as a one-time document. The POA&M should be actively managed from the moment it’s created through closeout. Static POA&Ms that sit in a shared drive untouched until someone panics at day 150 produce rushed, incomplete closures.
POA&M Template Structure
A practical POA&M for CMMC Level 2 includes these columns for each item:
| Field | Description |
|---|---|
| Item # | Sequential identifier |
| Requirement ID | NIST 800-171 requirement number (e.g., AC.L2-3.1.1) |
| Requirement Name | Short name for reference |
| Assessment Objectives Affected | Specific objectives scored NOT MET |
| Gap Description | What is not implemented or insufficient |
| Remediation Action | Specific steps to close the gap |
| Responsible Party | Named owner |
| Resources Required | Budget, tools, personnel, vendor support |
| Target Completion Date | Within 180 days of Conditional Status date |
| Status | Not Started / In Progress / Completed / Verified |
| Evidence Reference | Pointer to the artifact that proves closure |
| SSP Section Updated | Confirmation that the SSP reflects the remediation |
From Template to System
A POA&M template gives you the right structure. A system manages the lifecycle. Deep Fathom tracks POA&M items from creation through closure, alerts on approaching deadlines, links remediation actions to evidence and SSP updates, and produces the closeout package for your C3PAO.
Check your readiness or talk to our team.
Related reading: