Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

Creating a Plan of Action and Milestones for CMMC

A Plan of Action and Milestones document outlines your security gaps and your plan to address them. For CMMC, a POA&M is not just recommended—it is often required. If you have any gaps during assessment, a well-structured POA&M can be the difference between achieving conditional certification and failing.

POA&M stands for Plan of Action and Milestones—a formal document tracking security weaknesses and remediation efforts.

Think of a POA&M as your compliance project plan. It shows assessors you understand your gaps and have a realistic plan to close them.

When You Need a POA&M

During Self-Assessment

When conducting self-assessment, you will likely identify gaps between your current state and CMMC requirements. Document these in a POA&M with remediation plans.

For Conditional Certification

CMMC Level 2 allows conditional certification if you:

  • Meet at least 80% of requirements (score of 88 or higher)
  • Document remaining gaps in a POA&M
  • Commit to closing gaps within 180 days

Without a POA&M, you cannot achieve conditional status—you would simply fail.

For Continuous Improvement

Even after certification, new gaps may emerge. Maintain a POA&M to track ongoing remediation efforts.

POA&M Structure

An effective POA&M includes these elements for each weakness:

Weakness Identification

  • Unique identifier (POA&M item number)
  • Date identified
  • Source of identification (self-assessment, audit, incident)
  • Associated CMMC requirement(s)

Weakness Description

  • Clear description of the gap
  • Impact of the weakness
  • Affected systems or processes

Remediation Plan

  • Planned corrective actions
  • Resources required (budget, personnel, tools)
  • Responsible party
  • Dependencies on other items

Milestones and Timeline

  • Interim milestones with dates
  • Target completion date
  • Status updates

Status Tracking

  • Current status (Open, In Progress, Completed, Delayed)
  • Completion date (when resolved)
  • Evidence of completion

Sample POA&M Format

A practical POA&M can be maintained in a spreadsheet:

FieldExample Entry
POA&M IDPOAM-2025-003
Date Identified2025-01-15
CMMC RequirementIA.L2-3.5.3
WeaknessMFA not implemented for local privileged access
Risk LevelHigh
Remediation PlanDeploy Microsoft Entra ID MFA for all privileged accounts, update group policies, train administrators
Responsible PartyIT Manager – John Smith
Resources$2,500 for additional licenses, 20 hours IT staff time
Milestone 1License procurement – 2025-02-01
Milestone 2Configuration complete – 2025-02-15
Milestone 3Testing complete – 2025-02-28
Target Completion2025-03-15
StatusIn Progress
NotesLicenses ordered 1/20, awaiting delivery

Writing Effective Remediation Plans

Vague remediation plans do not satisfy assessors or drive actual progress.

Be Specific

Weak: “Will implement better access controls.”

Strong: “Will configure Microsoft Entra ID Conditional Access policies to require MFA for all privileged account authentication. Will update admin account group membership to apply new policies. Will test with pilot group before full deployment.”

Include Measurable Milestones

Break remediation into concrete steps with dates:

  1. Procurement complete – [date]
  2. Configuration in test environment – [date]
  3. Pilot deployment – [date]
  4. Full deployment – [date]
  5. Verification testing – [date]
  6. Documentation updated – [date]

Assign Clear Responsibility

Name specific individuals, not just roles:

Weak: “IT department will implement.”

Strong: “John Smith, IT Manager, will lead implementation with support from Jane Doe, System Administrator.”

Identify Required Resources

Document what you need to complete remediation:

  • Budget (licensing, hardware, consulting)
  • Personnel time
  • Tools or technology
  • Training
  • Vendor support

Managing POA&M Items

Prioritize by Risk

Address highest-risk gaps first:

  • 5-point CMMC requirements before 1-point requirements
  • Gaps that expose CUI before administrative gaps
  • Items with compliance deadlines

Track Progress Regularly

Review POA&M status at least monthly:

  • Update the status of each item
  • Document progress made
  • Identify blockers
  • Adjust timelines if needed

Close Items Properly

When remediation completes:

  • Document completion date
  • Collect evidence of implementation
  • Verify the control now works
  • Update SSP to reflect new implementation
  • Mark POA&M item as closed

Handle Delays

When items slip:

  • Document reason for delay
  • Update timeline with new dates
  • Escalate if resources are blocked
  • Consider risk during extended exposure

POA&M Constraints for CMMC

CMMC places specific limits on POA&M:

Level 1: No POA&M Allowed

CMMC Level 1 does not permit conditional certification. All 15 requirements must be fully implemented before completing self-assessment. You can use a POA&M internally to track progress, but you cannot submit to SPRS with open items.

SPRS stands for Supplier Performance Risk System—the DoD database for contractor compliance status.

Level 2: 180-Day Limit

If you achieve conditional Level 2 status with a POA&M:

  • All POA&M items must be closed within 180 days
  • Clock starts from conditional certification date
  • Missing the deadline invalidates conditional status
  • No extensions are granted

Level 2: NOT MET Limit

You cannot have too many NOT MET requirements:

  • Must meet at least 80% of requirements
  • Cannot have open POA&M items for certain critical controls
  • Assessors evaluate whether POA&M items are realistically achievable

What Cannot Be on a POA&M

Some gaps cannot be resolved through POA&M for conditional certification:

Controls That Must Be Implemented

Certain critical controls cannot remain open:

  • Incident response capability
  • Malware protection
  • Basic access controls
  • Other fundamental security functions

Check DoD guidance for specific controls that cannot be on POA&M.

Unrealistic Remediation Plans

If assessors determine your plan cannot be completed in 180 days, they may not grant conditional status. Plans must be realistic and achievable.

Too Many Items

If you have so many gaps that 80% compliance is not met, you cannot achieve even conditional certification. Close gaps before assessment.

Presenting POA&M to Assessors

During assessment, be prepared to:

Explain Each Item

Assessors will ask about your gaps and plans. Know your POA&M thoroughly.

Demonstrate Progress

If items are in progress, show evidence of work underway:

  • Purchase orders submitted
  • Configurations in test
  • Training scheduled
  • Vendor contracts signed

Justify Timelines

Explain why your dates are realistic. Reference vendor timelines, resource availability, and dependencies.

Show Commitment

Assessors want confidence you will complete remediation. Executive sponsorship and resource commitment help.

After Assessment: Closing POA&M Items

When you achieve conditional status, the real work begins:

Track Aggressively

180 days passes quickly. Monitor progress weekly.

Escalate Blockers

If something threatens your timeline, escalate immediately. Resource constraints or vendor delays need management attention.

Document Everything

When items close, capture evidence:

  • Configuration screenshots
  • Test results
  • Updated documentation
  • Approval records

Report Completion

When all POA&M items close:

  • Update SPRS with new score
  • Notify your C3PAO (if applicable)
  • Retain evidence for future assessments

C3PAO stands for Certified Third-Party Assessment Organization—the company that conducted your certification assessment.

Key Takeaways

A POA&M documents security gaps and remediation plans. For CMMC Level 2, a well-structured POA&M can enable conditional certification, giving you 180 days to close remaining gaps.

Write specific remediation plans with concrete milestones, clear ownership, and identified resources. Prioritize high-risk items and track progress regularly.

Remember that Level 1 allows no POA&M—all requirements must be met. For Level 2, the 180-day clock is firm, so plan realistically and execute diligently.

Related Articles:

Official Sources: This article is based on 32 CFR Part 170 POA&M requirements, NIST SP 800-171 Revision 2, and DoD CMMC assessment guidance.

Do not let documentation gaps hold back your certification. Contact Greypike for expert help building your SSP and POA&M. If you need Level 1 certification fast, Obolix provides everything you need—including documentation templates—to get compliant in a week or less.

Tags:
Table of Contents