A POA&M — Plan of Action and Milestones — is one of the most misunderstood tools in defense compliance. Some contractors treat it as a free pass: write the gap down, keep operating, fix it whenever. Others believe CMMC banned POA&Ms entirely. Both are wrong. Under CMMC 2.0, a POA&M can carry you through a Level 2 assessment with known gaps — but only certain gaps, only if your score is high enough, and only for 180 days.
Here is how the mechanism actually works, where the hard limits sit, and how to use one without betting your certification on it.
A Plan of Action and Milestones is a formal, dated commitment to fix specific security gaps. The concept comes from NIST SP 800-171 itself: security requirement 3.12.2 directs organizations to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities. For each unimplemented requirement, the POA&M records what is missing, what will be done about it, the milestones along the way, who owns the work, what resources it needs, and when it will be finished.
Think of it as a promissory note to the government: the debt is a security gap, and the POA&M is the repayment schedule. Like any promissory note, it only has value if you can actually pay.
Under the original CMMC 1.0 model, certification required everything to be in place on assessment day — no open items, period. CMMC 2.0 restored a limited role for POA&Ms, and the CMMC Program rule (32 CFR, effective December 16, 2024) codified exactly how limited that role is. The result is a narrow, time-boxed allowance called conditional status: you can pass a Level 2 assessment with a short list of open items, provided you meet strict conditions and close the list fast.
The reasoning behind the tight limits is no secret. In the self-attestation era that preceded CMMC, plans of action too often became permanent — gaps documented years ago were still open when assessors finally arrived. The 2.0 design keeps the flexibility but attaches a countdown to it. And the limits apply the same way whether your contract calls for a C3PAO assessment or one of the less common Level 2 self-assessments.
Three gates must all be satisfied:
Meet all three conditions and you receive Conditional Level 2 status — you are assessed, you are eligible for award, and the clock starts.
Every POA&M item must be closed within 180 days of the assessment. Closure is verified through a close-out assessment of the open items; when they pass, your conditional status converts to final. Miss the window and the conditional status lapses — along with the eligibility that came with it.
The practical planning rule: 180 days is shorter than it sounds. Whatever you place on a POA&M has to be procured, deployed, operationalized, and evidenced inside that window — including vendor lead times, change freezes, and the close-out verification itself. If a fix depends on a budget cycle or a product you have not selected yet, it does not belong on a POA&M; it belongs on your pre-assessment remediation plan.
Outside the certification process, the POA&M plays a second role. When you submit your NIST 800-171 self-assessment score to SPRS under DFARS 252.204-7019 and 7020, you also record the date you expect to reach full implementation of all 110 requirements — a date that should come straight from your POA&M. The score, the SSP, and the POA&M form a single, mutually consistent representation to the government about your security posture. Keep them synchronized, and treat their accuracy as the legal representation it is.
Format matters less than completeness. Every entry should carry:
Vague entries — "improve access control, Q4" — signal that the plan is decorative. Specific entries signal an organization that manages security the way it manages projects, and assessors notice the difference.
The strongest position on assessment day is not a well-written POA&M — it is not needing one. Two moves make that realistic. First, find your gaps while they are still cheap to fix: a CMMC readiness assessment scores you against all 110 requirements long before a C3PAO does, when every finding is still just a to-do item rather than a certification condition. Second, shrink the surface you have to defend: consolidating CUI into a purpose-built secure enclave means fewer systems where each requirement must be implemented and evidenced. Contractors who do both tend to arrive at assessments with short gap lists — or none at all.
Essendis takes defense contractors from first gap analysis to a finished Level 2 program — advisory and engineering under one roof. Our CMMC Level 2 compliance services cover remediation planning, POA&M management, and assessment preparation, built on the same approach that carried our client RPS Defense to a perfect 110/110 Level 2 assessment with A-LIGN (C3PAO) — no POA&M required. New to the framework? Start with our CMMC 2.0 overview, or Connect with an expert to talk through your gap list.

