Plan of Action and Milestones (POA&M): A CMMC Level 2 Essential

Every CMMC Level 2 compliance program involves two documents that work in tandem: the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). The SSP describes how practices are implemented. The POA&M documents what is not yet implemented and what the organization plans to do about it.

The POA&M is not a loophole or a workaround. It is a formal, structured artifact that organizations use to track remediation activity for practices that are partially implemented or not yet in place. Under NIST SP 800-171 and the CMMC framework, maintaining a current and credible POA&M is a requirement, not an optional supplement.

This article explains what a POA&M must include, how it interacts with the SSP and the assessment process, which practices are POA&M-eligible and which are not, and what separates a credible POA&M from one that raises red flags with assessors. Whether you are building your first POA&M or trying to mature an existing one ahead of a C3PAO assessment, this is the starting point.

What a POA&M Is and What It Is Not

A POA&M is a management tool. It provides a structured record of security gaps, the steps an organization will take to address them, who is responsible, and by when. In the context of CMMC Level 2, it documents the delta between the organization's current security posture and full compliance with all 110 practices in NIST SP 800-171.

What a POA&M is not is a free pass. Some organizations treat the POA&M as a way to defer difficult or expensive remediation work indefinitely. Assessors are specifically trained to identify POA&M entries that lack genuine remediation activity, that carry the same milestone dates year after year without progress, or that exist to create the appearance of a compliance plan rather than reflect one.

A credible POA&M is specific, time-bound, and actively maintained. It reflects real organizational commitment to closing identified gaps. When assessors review a POA&M, they are evaluating not just whether it exists but whether it demonstrates that the organization understands its gaps and is genuinely working to close them.

What a Complete POA&M Entry Must Include

Not every POA&M entry looks the same, but each entry should address the following elements to satisfy assessor expectations and regulatory requirements.

The Practice Being Addressed

Each POA&M entry should reference the specific NIST SP 800-171 practice number and title. Entries that describe a gap in general terms without tying it to a practice number create ambiguity and make it difficult for assessors to evaluate scope and coverage.

Description of the Gap or Deficiency

The entry should explain specifically what is not implemented or what is only partially implemented. A vague entry like “MFA not fully deployed” is less useful than one that states “Multi-factor authentication is implemented for remote access but not yet enforced for privileged local accounts on systems that process CUI.” The more specific the gap description, the more credible the remediation plan that follows.

Planned Remediation Steps

The entry should outline the specific steps the organization will take to close the gap. This does not need to be a detailed project plan, but it should be specific enough that a third party could understand the remediation approach. Entries that list “implement MFA” without describing how, on what systems, or through which product or process are insufficient.

Responsible Owner

Each entry must identify who is responsible for driving remediation to completion. This should be a named role or individual, not a department. Accountability without a named owner is not accountability.

Milestone Dates

The entry must include a target completion date. Entries without milestone dates, or with milestone dates that have been extended repeatedly without documented justification, signal to assessors that the organization is not actively managing the gap. Milestone dates should be realistic and reflect the actual complexity of the remediation effort. For a POA&M tied to a Conditional Level 2 (C3PAO) status, every milestone must fall within the 180-day closeout window described later in this article.

Current Status

The entry should reflect the current state of remediation at the time of review. A POA&M that has not been updated since it was initially drafted is not a living document. Status should reflect whether remediation is not yet started, in progress, or completed and pending verification.

POA&M-Eligible vs. Non-Eligible Practices

One of the most important and most frequently misunderstood aspects of the POA&M under CMMC Level 2 is that not all practices can be deferred through a POA&M entry.

Under 32 CFR 170.21(a)(2), the eligibility rule is precise. Only security requirements with a point value of 1 in the CMMC Scoring Methodology (32 CFR 170.24) may be placed on a POA&M, with one narrow exception: SC.L2-3.13.11 (Employ FIPS-validated cryptography) may be placed on a POA&M at a 3-point cost if encryption is employed but is not yet FIPS-validated. If no encryption is in place at all, that same gap is scored at 5 points and is not POA&M-eligible. Every other 3-point and 5-point requirement must be fully implemented at the time of the assessment. Placing one in any status other than implemented results in a finding that prevents certification.

This means organizations cannot use the POA&M to defer their most critical security practices to a post-assessment remediation window. If a high-weighted practice is not implemented when the assessor arrives, it is a disqualifying gap, not a documented exception.

Two further conditions govern whether a POA&M is permitted at all. First, the assessment score must be at least 80 percent of the total, meaning a minimum of 88 of the 110 requirements scored as MET. An organization that falls below 88 points does not qualify for a Conditional Level 2 (C3PAO) status and cannot defer any gaps to a POA&M. The available headroom is 22 practices, not just 22 points, because POA&M-eligible practices are not all worth the same score value. A contractor who places multiple 3-point practices on a POA&M consumes headroom faster than the practice count alone suggests, and the SC.L2-3.13.11 encryption scenario (3 points when encryption exists but is not FIPS-validated) is a concrete example of that dynamic.

It is worth distinguishing at this point that there are two documents that share the POA&M name. Before an assessment, an organization maintains an internal POA&M as a running gap tracker. This is genuinely a living document, reviewed on a cadence, with milestone dates that can shift as priorities change. That document can and should list ALL the gaps and missing items, not just those that are single point practices. The formal POA&M that produces a Conditional Level 2 (C3PAO) status after a C3PAO assessment is different. It is strictly time-bound: every open item must be remediated and verified through a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. There is no rolling extension. If the items are not closed within the 180-day window, the Conditional status expires and the certification is lost. This is the document where the single-point practices come into play.

Second, six specific 1-point requirements are excluded from POA&M eligibility by name under 32 CFR 170.21(a)(2)(iii), even though their point value would otherwise allow deferral. They must be fully implemented at the time of assessment: AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), and PE.L2-3.10.5 (Manage Physical Access). CA.L2-3.12.4 is the most common blocker, because a complete SSP is a prerequisite for the assessment to proceed at all.

The remaining 1-point requirements are POA&M-eligible, meaning an organization can still achieve a Conditional Level 2 (C3PAO) status while those gaps are actively remediated under a credible POA&M. However, even eligible practices carry risk. A large volume of open POA&M entries, even for lower-weighted practices, can signal systemic compliance immaturity to assessors and contracting officers.

How the POA&M Interacts With the SSP

The SSP and the POA&M are companion documents and should be treated as a single integrated picture of the organization's compliance posture.

Every practice in the SSP that is listed as partially implemented or planned must have a corresponding POA&M entry. If the SSP lists a practice as planned but there is no POA&M entry with a milestone date and responsible owner, assessors will treat the gap as unmanaged rather than in-progress. The SSP creates the commitment; the POA&M substantiates it.

Conversely, a POA&M entry for a practice that the SSP lists as fully implemented creates a contradiction that assessors will flag. Both documents must be maintained consistently and updated in parallel whenever the compliance posture changes.

Organizations approaching their first C3PAO assessment should conduct a reconciliation review of both documents before the assessment begins to identify any inconsistencies between what the SSP claims and what the POA&M reflects.

Common POA&M Deficiencies Assessors Identify

The following deficiencies appear most frequently in POA&Ms reviewed during pre-assessment and assessment engagements.

• No POA&M entry for practices listed as partially implemented or planned in the SSP. This is the most common gap and the most straightforward to fix.

• Entries without milestone dates or responsible owners. Without both, the entry is a description of a problem, not a remediation plan.

• Milestone dates that have been extended repeatedly. Without documented justification, this signals that remediation is not actively being managed.

• Non-eligible practices listed in the POA&M. Placing a 5-point or 3-point practice (other than the SC.L2-3.13.11 encryption exception), or one of the six excluded 1-point practices, in a POA&M status indicates a misunderstanding of the CMMC eligibility rules and will prevent certification.

• POA&M not updated since initial creation. A static POA&M does not reflect a living compliance program.

• Entries too vague to evaluate. Gap descriptions and remediation steps that lack specificity give assessors nothing to validate.

• No evidence of completed remediation. When a POA&M entry is marked complete, assessors expect supporting evidence. Completed entries without documentation are treated as unverified.

How Assessors Use the POA&M During an Engagement

Understanding how a C3PAO assessor interacts with the POA&M during an assessment helps organizations prepare the right artifacts and avoid common surprises.

During the document review phase, assessors cross-reference the POA&M against the SSP to identify practices listed as not fully implemented and confirm that each has a corresponding POA&M entry. Assessors also check whether any non-eligible practices appear in a deferred status.

During testing, assessors will attempt to verify the status of practices listed in the POA&M. If an entry claims remediation is in progress, assessors will look for evidence of that activity. Purchase orders, configuration change records, project documentation, and vendor agreements can all serve as evidence of active remediation.

After testing, assessors document findings against both the SSP and the POA&M. A practice that is unimplemented and not represented in the POA&M is a more serious finding than one with an active, credible remediation entry. A well-maintained POA&M does not eliminate findings, but it demonstrates organizational competence and good faith that assessors consider.

Maintaining the POA&M as a Living Document

A POA&M is only as valuable as its currency. An organization that creates a POA&M during a CMMC readiness engagement and does not update it again until the week before an assessment has not maintained a living document. It has produced a snapshot that no longer reflects the organization's actual compliance posture.

Best practices for POA&M maintenance include:

• Reviewing the POA&M on a defined cadence, typically quarterly at minimum, and after any significant change to the environment or practice implementation status.

• Updating milestone dates promptly when timelines change, with documented justification for any extension. This applies to the internal pre-assessment tracker; the 180-day closeout deadline on a post-assessment Conditional POA&M is fixed by 32 CFR 170.21 and cannot be extended.

• Closing entries when remediation is complete and retaining the supporting evidence in a location that is accessible during an assessment.

• Reconciling the POA&M with the SSP whenever either document is updated.

• Assigning ownership of POA&M maintenance to a specific role, not a committee or a team, so accountability is clear.

How Compass Can Help

Compass IT Compliance has guided defense contractors and subcontractors through every stage of the CMMC journey, from initial scoping and gap assessments to POA&M development, SSP alignment, and full assessment readiness. Our team understands how compliance gaps present in real-world environments, and we help organizations build POA&Ms that are specific, credible, and built to withstand C3PAO scrutiny.

Whether you are creating your first POA&M or reconciling an existing one before your assessment window, we can help you close the right gaps in the right order. Contact us today to discuss your CMMC POA&M questions and find out how we can help you build a compliance strategy that starts on solid ground.