CMMC POA&M Guide: Plans of Action and Milestones Explained

POA&Ms are one of the most misunderstood aspects of CMMC — some contractors treat them as a way to defer compliance indefinitely, while others assume they are not allowed at all. The truth is more nuanced, and understanding that nuance can be the difference between passing and failing your assessment.

A CMMC POA&M (Plan of Action and Milestones) is a formal remediation plan that documents how your organization will address security controls not yet fully implemented. Under CMMC 2.0, POA&Ms are permitted at Levels 2 and 3 for certain controls, but with strict limitations on which controls qualify and how long you have to close them. Understanding these rules is critical for any defense contractor navigating the CMMC certification process.

This guide covers when POA&Ms are allowed under CMMC, how to write an effective POA&M that assessors will accept, best practices based on common assessment findings, a template walkthrough, and how to manage POA&Ms through closure.

What Is a POA&M in the Context of CMMC?

A Plan of Action and Milestones is a document that identifies gaps between your current security posture and the requirements of CMMC, then lays out a specific, time-bound plan to close those gaps. In the CMMC context, POA&Ms serve as a formal acknowledgment that certain controls are not yet fully implemented, paired with a credible plan to achieve full implementation.

When POA&Ms Are Allowed

CMMC 2.0 allows POA&Ms at Levels 2 and 3, but not at Level 1. Key rules include:

• Not all controls are eligible — Certain high-priority controls (approximately 20-25 of the most critical requirements) cannot have POA&Ms. If these controls are not met, certification cannot be granted regardless of remediation plans
• 180-day closure window — All POA&M items must be closed within 180 days of the conditional certification date
• Conditional certification — Organizations with open POA&Ms receive conditional certification, which converts to full certification upon POA&M closure
• Scoring threshold — Your overall assessment score must still meet a minimum threshold even with open POA&Ms

POA&Ms at Level 1

Level 1 does not allow POA&Ms. All 17 practices must be fully implemented before you can submit your self-assessment affirmation.

For a complete overview of CMMC levels and requirements, see our CMMC requirements guide.

How to Write a CMMC POA&M

An effective POA&M entry must contain sufficient detail for an assessor to evaluate the credibility of your remediation plan. Each entry should include:

Required Fields

Field	Description	Example
Control identifier	The specific NIST 800-171 control number	AC.L2-3.1.12
Control description	Brief description of the requirement	Monitor and control remote access sessions
Weakness/gap description	What is not currently implemented or functioning	Remote access sessions are not monitored in real-time; logs are reviewed weekly
Risk assessment	Current risk level posed by the gap	Medium — remote access is limited to 5 administrators with MFA
Planned remediation	Specific actions to close the gap	Deploy SIEM integration for VPN sessions, configure real-time alerting
Responsible party	Named individual accountable for remediation	IT Security Manager
Required resources	Budget, tools, personnel needed	SIEM platform license (annual subscription), 40 hours configuration effort
Milestones	Intermediate steps with dates	M1: SIEM vendor selection (Day 30), M2: Integration deployment (Day 90), M3: Testing and validation (Day 150)
Target completion date	Must be within 180 days	[Date within 180 days of conditional certification]

Writing Tips

• Be specific about the gap — "Not implemented" is insufficient. Describe exactly what is missing and what partial implementation exists
• Make milestones realistic — Assessors will evaluate whether your timeline is achievable given the scope of work
• Identify dependencies — If remediation requires vendor procurement, budget approval, or infrastructure changes, call these out explicitly
• Quantify resources — Vague resource statements ("we will allocate resources") are less credible than specific budgets and FTE allocations

POA&M Best Practices

Minimize POA&M Count

While POA&Ms are allowed, entering your assessment with fewer open items demonstrates stronger organizational maturity. Assessors view many POA&Ms as a signal that the organization rushed into assessment before achieving adequate readiness. Aim for zero POA&Ms, and use them only for items where remediation is genuinely in progress and near completion.

Close Easy Items Before Assessment

If a control gap can be resolved in the weeks before your C3PAO assessment, close it rather than documenting it as a POA&M. The 180-day clock starts at conditional certification — every gap closed before assessment is one less item to manage under time pressure.

Maintain Evidence of Progress

Once you have open POA&Ms, document progress at each milestone. When the C3PAO returns to verify closure, they will want evidence that remediation followed the plan and was not a last-minute scramble.

Common Assessment Pitfalls

• Ineligible controls — Submitting POA&Ms for controls that are not eligible results in assessment failure. Verify which controls allow POA&Ms before building your remediation plan
• Unrealistic timelines — A POA&M that requires 12 months of work crammed into 180 days will not be accepted
• Missing risk context — Assessors need to understand the risk exposure during the remediation period. A POA&M without risk assessment suggests the organization does not understand the security implications of the gap

POA&M Template Walkthrough

Here is an annotated example of a well-written POA&M entry:

Control: SI.L2-3.14.1 — Identify, report, and correct system flaws in a timely manner

Gap: Vulnerability scanning is conducted monthly but remediation SLAs are not defined or enforced. Critical vulnerabilities average 45 days to remediation versus the 14-day best practice target.

Risk: Medium-High — Monthly scanning identifies vulnerabilities but the lack of enforced SLAs means critical exposures persist longer than acceptable. Compensating controls include network segmentation limiting lateral movement.

Remediation Plan:

1. Day 1-30: Define and publish vulnerability remediation SLAs (Critical: 14 days, High: 30 days, Medium: 90 days)
2. Day 15-60: Implement automated vulnerability scanning tool with integration to ticketing system for automated SLA tracking
3. Day 30-90: Deploy patch management automation for operating system and application patching
4. Day 60-120: Run two complete scan-remediate cycles under new SLAs to establish evidence of operating effectiveness
5. Day 120-150: Internal review and evidence compilation for C3PAO verification

Responsible: Director of IT Operations Resources: Vulnerability management platform (annual license), 120 hours engineering effort, patch management tool (annual license) Target Completion: [180 days from conditional certification]

This example works because it is specific about the gap, provides measurable milestones, identifies resources, and builds in time for demonstrating operating effectiveness before the verification review.

For organizations managing compliance gaps more broadly, see our gap analysis playbook and evidence collection guide — the principles apply across frameworks.

Managing POA&Ms Over Time

POA&M management does not end when you write the document. Active management throughout the 180-day window is essential:

Tracking and Reporting

Establish a regular cadence (biweekly or monthly) for reviewing POA&M progress. Each review should confirm milestones are being met, identify blockers early, and adjust plans if needed. Document these reviews as evidence of active management.

Evidence Collection

Begin collecting remediation evidence from day one. When the C3PAO returns for POA&M verification, you will need to demonstrate not just that the control is now implemented, but that it has been operating effectively for a reasonable period.

Closure and Verification

When you complete a POA&M item, document the closure with evidence of implementation and a brief period of operating effectiveness. Notify your C3PAO to schedule verification. Once all POA&Ms are verified as closed, your conditional certification converts to full certification.

What Happens If You Miss the 180-Day Window?

Failure to close POA&M items within 180 days results in loss of conditional certification. You would need to undergo a new assessment — effectively starting the certification process over. This underscores the importance of realistic remediation planning and active POA&M management.

Need help developing CMMC POA&Ms or managing your remediation timeline? Contact Agency for expert guidance on CMMC compliance and assessment preparation.