POA&M Explained: When You Can (and Can't) Use One Under CMMC

A POA&M — Plan of Action and Milestones — is one of the most misunderstood tools in defense compliance. Some contractors treat it as a free pass: write the gap down, keep operating, fix it whenever. Others believe CMMC banned POA&Ms entirely. Both are wrong. Under CMMC 2.0, a POA&M can carry you through a Level 2 assessment with known gaps — but only certain gaps, only if your score is high enough, and only for 180 days.

Here is how the mechanism actually works, where the hard limits sit, and how to use one without betting your certification on it.

What Is a POA&M?

A Plan of Action and Milestones is a formal, dated commitment to fix specific security gaps. The concept comes from NIST SP 800-171 itself: security requirement 3.12.2 directs organizations to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities. For each unimplemented requirement, the POA&M records what is missing, what will be done about it, the milestones along the way, who owns the work, what resources it needs, and when it will be finished.

Think of it as a promissory note to the government: the debt is a security gap, and the POA&M is the repayment schedule. Like any promissory note, it only has value if you can actually pay.

What CMMC 2.0 Changed

Under the original CMMC 1.0 model, certification required everything to be in place on assessment day — no open items, period. CMMC 2.0 restored a limited role for POA&Ms, and the CMMC Program rule (32 CFR, effective December 16, 2024) codified exactly how limited that role is. The result is a narrow, time-boxed allowance called conditional status: you can pass a Level 2 assessment with a short list of open items, provided you meet strict conditions and close the list fast.

The reasoning behind the tight limits is no secret. In the self-attestation era that preceded CMMC, plans of action too often became permanent — gaps documented years ago were still open when assessors finally arrived. The 2.0 design keeps the flexibility but attaches a countdown to it. And the limits apply the same way whether your contract calls for a C3PAO assessment or one of the less common Level 2 self-assessments.

When You Can Use a POA&M at Level 2

Three gates must all be satisfied:

  • Only lower-weight requirements qualify. Each of the 110 NIST 800-171 requirements carries a point weight in the DoD scoring methodology — most are worth 1 point, but the most consequential are worth 3 or 5. POA&Ms are broadly permitted only for the lower-weight, one-point requirements, with narrow exceptions defined in the rule. The high-weight items — the ones that anchor your security posture, such as multifactor authentication — must be done on assessment day.
  • You must clear the minimum score. The rule sets a floor: your assessment score must reach at least 80 percent of the maximum, which works out to 88 of 110 for Level 2. Score below the threshold and no amount of planning paperwork gets you conditional status.
  • Everything else must be implemented. A POA&M covers a handful of stragglers, not a work program. If your gap list is long, you are not in POA&M territory — you are in remediation territory.

Meet all three conditions and you receive Conditional Level 2 status — you are assessed, you are eligible for award, and the clock starts.

The 180-Day Clock

Every POA&M item must be closed within 180 days of the assessment. Closure is verified through a close-out assessment of the open items; when they pass, your conditional status converts to final. Miss the window and the conditional status lapses — along with the eligibility that came with it.

The practical planning rule: 180 days is shorter than it sounds. Whatever you place on a POA&M has to be procured, deployed, operationalized, and evidenced inside that window — including vendor lead times, change freezes, and the close-out verification itself. If a fix depends on a budget cycle or a product you have not selected yet, it does not belong on a POA&M; it belongs on your pre-assessment remediation plan.

When You Cannot Use One

  • At Level 1. CMMC Level 1 permits no POA&Ms at all. All 17 practices must be fully met when you self-assess — there is no conditional Level 1 status.
  • For high-weight requirements. The 3- and 5-point items are, with narrow exceptions, ineligible regardless of your score.
  • Below the minimum score. Too many open gaps means no conditional status, full stop.
  • As a parking lot. A POA&M is not a mechanism for deferring inconvenient requirements indefinitely. It is a bridge with a demolition date.

POA&Ms and Your SPRS Score

Outside the certification process, the POA&M plays a second role. When you submit your NIST 800-171 self-assessment score to SPRS under DFARS 252.204-7019 and 7020, you also record the date you expect to reach full implementation of all 110 requirements — a date that should come straight from your POA&M. The score, the SSP, and the POA&M form a single, mutually consistent representation to the government about your security posture. Keep them synchronized, and treat their accuracy as the legal representation it is.

What a Good POA&M Looks Like

Format matters less than completeness. Every entry should carry:

  • The unimplemented requirement and a plain description of the gap
  • The specific remediation actions planned
  • Milestones with dates — not just a single far-off finish line
  • The named owner accountable for delivery
  • The resources required: budget, tooling, people
  • The scheduled completion date and current status

Vague entries — "improve access control, Q4" — signal that the plan is decorative. Specific entries signal an organization that manages security the way it manages projects, and assessors notice the difference.

The Better Strategy: Need Fewer POA&Ms

The strongest position on assessment day is not a well-written POA&M — it is not needing one. Two moves make that realistic. First, find your gaps while they are still cheap to fix: a CMMC readiness assessment scores you against all 110 requirements long before a C3PAO does, when every finding is still just a to-do item rather than a certification condition. Second, shrink the surface you have to defend: consolidating CUI into a purpose-built secure enclave means fewer systems where each requirement must be implemented and evidenced. Contractors who do both tend to arrive at assessments with short gap lists — or none at all.

How Essendis Helps

Essendis takes defense contractors from first gap analysis to a finished Level 2 program — advisory and engineering under one roof. Our CMMC Level 2 compliance services cover remediation planning, POA&M management, and assessment preparation, built on the same approach that carried our client RPS Defense to a perfect 110/110 Level 2 assessment with A-LIGN (C3PAO) — no POA&M required. New to the framework? Start with our CMMC 2.0 overview, or Connect with an expert to talk through your gap list.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.