Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
Creating a Plan of Action and Milestones for CMMC
A Plan of Action and Milestones document outlines your security gaps and your plan to address them. For CMMC, a POA&M is not just recommended—it is often required. If you have any gaps during assessment, a well-structured POA&M can be the difference between achieving conditional certification and failing.
POA&M stands for Plan of Action and Milestones—a formal document tracking security weaknesses and remediation efforts.
Think of a POA&M as your compliance project plan. It shows assessors you understand your gaps and have a realistic plan to close them.
When You Need a POA&M
During Self-Assessment
When conducting self-assessment, you will likely identify gaps between your current state and CMMC requirements. Document these in a POA&M with remediation plans.
For Conditional Certification
CMMC Level 2 allows conditional certification if you:
- Meet at least 80% of requirements (score of 88 or higher)
- Document remaining gaps in a POA&M
- Commit to closing gaps within 180 days
Without a POA&M, you cannot achieve conditional status—you would simply fail.
For Continuous Improvement
Even after certification, new gaps may emerge. Maintain a POA&M to track ongoing remediation efforts.
POA&M Structure
An effective POA&M includes these elements for each weakness:
Weakness Identification
- Unique identifier (POA&M item number)
- Date identified
- Source of identification (self-assessment, audit, incident)
- Associated CMMC requirement(s)
Weakness Description
- Clear description of the gap
- Impact of the weakness
- Affected systems or processes
Remediation Plan
- Planned corrective actions
- Resources required (budget, personnel, tools)
- Responsible party
- Dependencies on other items
Milestones and Timeline
- Interim milestones with dates
- Target completion date
- Status updates
Status Tracking
- Current status (Open, In Progress, Completed, Delayed)
- Completion date (when resolved)
- Evidence of completion
Sample POA&M Format
A practical POA&M can be maintained in a spreadsheet:
| Field | Example Entry |
|---|---|
| POA&M ID | POAM-2025-003 |
| Date Identified | 2025-01-15 |
| CMMC Requirement | IA.L2-3.5.3 |
| Weakness | MFA not implemented for local privileged access |
| Risk Level | High |
| Remediation Plan | Deploy Microsoft Entra ID MFA for all privileged accounts, update group policies, train administrators |
| Responsible Party | IT Manager – John Smith |
| Resources | $2,500 for additional licenses, 20 hours IT staff time |
| Milestone 1 | License procurement – 2025-02-01 |
| Milestone 2 | Configuration complete – 2025-02-15 |
| Milestone 3 | Testing complete – 2025-02-28 |
| Target Completion | 2025-03-15 |
| Status | In Progress |
| Notes | Licenses ordered 1/20, awaiting delivery |
Writing Effective Remediation Plans
Vague remediation plans do not satisfy assessors or drive actual progress.
Be Specific
Weak: “Will implement better access controls.”
Strong: “Will configure Microsoft Entra ID Conditional Access policies to require MFA for all privileged account authentication. Will update admin account group membership to apply new policies. Will test with pilot group before full deployment.”
Include Measurable Milestones
Break remediation into concrete steps with dates:
- Procurement complete – [date]
- Configuration in test environment – [date]
- Pilot deployment – [date]
- Full deployment – [date]
- Verification testing – [date]
- Documentation updated – [date]
Assign Clear Responsibility
Name specific individuals, not just roles:
Weak: “IT department will implement.”
Strong: “John Smith, IT Manager, will lead implementation with support from Jane Doe, System Administrator.”
Identify Required Resources
Document what you need to complete remediation:
- Budget (licensing, hardware, consulting)
- Personnel time
- Tools or technology
- Training
- Vendor support
Managing POA&M Items
Prioritize by Risk
Address highest-risk gaps first:
- 5-point CMMC requirements before 1-point requirements
- Gaps that expose CUI before administrative gaps
- Items with compliance deadlines
Track Progress Regularly
Review POA&M status at least monthly:
- Update the status of each item
- Document progress made
- Identify blockers
- Adjust timelines if needed
Close Items Properly
When remediation completes:
- Document completion date
- Collect evidence of implementation
- Verify the control now works
- Update SSP to reflect new implementation
- Mark POA&M item as closed
Handle Delays
When items slip:
- Document reason for delay
- Update timeline with new dates
- Escalate if resources are blocked
- Consider risk during extended exposure
POA&M Constraints for CMMC
CMMC places specific limits on POA&M:
Level 1: No POA&M Allowed
CMMC Level 1 does not permit conditional certification. All 15 requirements must be fully implemented before completing self-assessment. You can use a POA&M internally to track progress, but you cannot submit to SPRS with open items.
SPRS stands for Supplier Performance Risk System—the DoD database for contractor compliance status.
Level 2: 180-Day Limit
If you achieve conditional Level 2 status with a POA&M:
- All POA&M items must be closed within 180 days
- Clock starts from conditional certification date
- Missing the deadline invalidates conditional status
- No extensions are granted
Level 2: NOT MET Limit
You cannot have too many NOT MET requirements:
- Must meet at least 80% of requirements
- Cannot have open POA&M items for certain critical controls
- Assessors evaluate whether POA&M items are realistically achievable
What Cannot Be on a POA&M
Some gaps cannot be resolved through POA&M for conditional certification:
Controls That Must Be Implemented
Certain critical controls cannot remain open:
- Incident response capability
- Malware protection
- Basic access controls
- Other fundamental security functions
Check DoD guidance for specific controls that cannot be on POA&M.
Unrealistic Remediation Plans
If assessors determine your plan cannot be completed in 180 days, they may not grant conditional status. Plans must be realistic and achievable.
Too Many Items
If you have so many gaps that 80% compliance is not met, you cannot achieve even conditional certification. Close gaps before assessment.
Presenting POA&M to Assessors
During assessment, be prepared to:
Explain Each Item
Assessors will ask about your gaps and plans. Know your POA&M thoroughly.
Demonstrate Progress
If items are in progress, show evidence of work underway:
- Purchase orders submitted
- Configurations in test
- Training scheduled
- Vendor contracts signed
Justify Timelines
Explain why your dates are realistic. Reference vendor timelines, resource availability, and dependencies.
Show Commitment
Assessors want confidence you will complete remediation. Executive sponsorship and resource commitment help.
After Assessment: Closing POA&M Items
When you achieve conditional status, the real work begins:
Track Aggressively
180 days passes quickly. Monitor progress weekly.
Escalate Blockers
If something threatens your timeline, escalate immediately. Resource constraints or vendor delays need management attention.
Document Everything
When items close, capture evidence:
- Configuration screenshots
- Test results
- Updated documentation
- Approval records
Report Completion
When all POA&M items close:
- Update SPRS with new score
- Notify your C3PAO (if applicable)
- Retain evidence for future assessments
C3PAO stands for Certified Third-Party Assessment Organization—the company that conducted your certification assessment.
Key Takeaways
A POA&M documents security gaps and remediation plans. For CMMC Level 2, a well-structured POA&M can enable conditional certification, giving you 180 days to close remaining gaps.
Write specific remediation plans with concrete milestones, clear ownership, and identified resources. Prioritize high-risk items and track progress regularly.
Remember that Level 1 allows no POA&M—all requirements must be met. For Level 2, the 180-day clock is firm, so plan realistically and execute diligently.
Related Articles:
- CMMC Policies and Procedures Requirements
- How to Write a System Security Plan for CMMC
- CMMC Level 2 Self-Assessment Requirements
- How to Submit Your SPRS Score
- NIST SP 800-171 Rev 2
- 32 CFR Part 170 – CMMC Program Rule
Official Sources: This article is based on 32 CFR Part 170 POA&M requirements, NIST SP 800-171 Revision 2, and DoD CMMC assessment guidance.
Do not let documentation gaps hold back your certification. Contact Greypike for expert help building your SSP and POA&M. If you need Level 1 certification fast, Obolix provides everything you need—including documentation templates—to get compliant in a week or less.