What Are POA&Ms? Key Insights on POA&Ms in the CMMC Final Rule

Under the recently released CMMC Final Rule, the use of Plans of Action and Milestones (POA&Ms) is allowed in a limited and structured way for certain levels of certification. The Cybersecurity Maturity Model Certification (CMMC) program is essential for contractors working with the Department of Defense (DOD), setting rigorous standards for protecting sensitive information. Here, we’ll cover what POA&Ms are, how they fit into the CMMC process, and what contractors need to know to comply with the requirements outlined in §170.21 of the 32 CFR CMMC Program Final Rule.

What is a POA&M in CMMC?

Image of a man creating a poam schedule using online software.

A POA&M (Plan of Action and Milestones) is a documented action plan that identifies steps necessary to address cybersecurity deficiencies found during a CMMC assessment. Each item in the POA&M includes actions required to close the gap, responsible parties,  and timelines for completion. This plan is an important tool for contractors working towards full CMMC compliance, as it provides a structured path to close security gaps while meeting contractual obligations.

However, the CMMC Final Rule only allows the use of POA&Ms at Levels 2 and 3 with specific limitations. Let’s explore how POA&Ms can be applied at each CMMC level.

CMMC Level-Specific Rules for POA&Ms

The new CMMC Final Rule details how POA&Ms can and cannot be used at each certification level:

  1. CMMC Level 1: POA&Ms are not permitted. Contractors must fully meet all Level 1 requirements with no deficiencies to achieve certification. Level 1 covers basic cybersecurity practices to protect Federal Contract Information (FCI), and compliance with every requirement is mandatory for certification.
  2. CMMC Level 2: POA&Ms are allowed under specific conditions. Contractors must:
    • Meet a minimum assessment score of 80% on their initial evaluation.
    • Fully implement all critical security requirements that cannot be deferred. These critical controls include essential protections, such as multi-factor authentication (MFA) and encryption, that must be in place at the time of assessment.
    • Document any non-critical “NOT MET” requirements in a POA&M, which then must be resolved within a 180-day period to transition from Conditional to Final CMMC Status.
  3. CMMC Level 3: POA&Ms are also permitted at Level 3, but only for non-critical requirements. As with Level 2, critical requirements necessary for the immediate protection of Controlled Unclassified Information (CUI) must be fully implemented during the initial assessment. Any non-critical gaps can be tracked in a POA&M and must be resolved within the specified timeframe for the contractor to obtain Final Status.

Table comparing POA&Ms in CMMC Levels 1, 2, and 3.

Achieving Conditional and Final CMMC Status with POA&Ms

Under the new CMMC framework, contractors can earn a Conditional or Final Status depending on the resolution of their POA&M items:

  • Conditional CMMC Status: This is granted to Level 2 and Level 3 contractors who meet the minimum assessment score, fulfill all critical requirements, and document non-critical, “NOT MET” items in a POA&M. With a Conditional Status, contractors are allowed to continue DOD contract work while working to close the remaining gaps.
  • Final CMMC Status: Contractors achieve Final Status by fully resolving all POA&M items. At this stage, no security gaps remain, and the organization has successfully met every CMMC requirement within the designated timeframe.

According to §170.21 of the Final Rule, Conditional Status is only temporary and requires timely remediation of all outstanding POA&M items. Contractors must transition from Conditional to Final Status within the allowable 180-day period or risk losing certification status.

POA&M Closeout Assessments: Timelines and Procedures

For contractors operating under Conditional Status, all POA&M items must be closed within 180 days of receiving Conditional CMMC Status. A follow-up assessment, known as the POA&M closeout assessment, is required to verify that each item on the POA&M has been addressed.

  1. POA&M Closeout Self-Assessment (for Level 2 Conditional Self-Assessment): If the organization conducted an internal self-assessment for Level 2, it will be responsible for verifying internally that all POA&M items have been completed.
  2. POA&M Closeout Certification Assessment (for C3PAO): For Level 2 and Level 3 certifications, a Certified Third-Party Assessment Organization (C3PAO) must conduct the closeout assessment to ensure all “NOT MET” items on the initial POA&M have been successfully remediated.

Failure to complete all POA&M items within 180 days leads to expiration of Conditional Status, which can impact contract eligibility and potentially trigger contractual remedies. Final Status is only granted if all POA&M items have been properly addressed and verified.

Critical Requirements: Items That Cannot Be Deferred in a POA&M

The CMMC Final Rule is clear that certain critical cybersecurity controls cannot be placed on a POA&M. These controls, which must be fully implemented at the time of assessment, are essential for ensuring immediate data security. They include:

  • Multi-Factor Authentication (MFA): Required for controlling access to systems that contain CUI, providing an additional layer of security against unauthorized access.
  • FIPS Validate Data Encryption: Data both at rest and in transit must be encrypted to ensure confidentiality and integrity. 5-point control that can be POA&M’d if “partially implemented” (encryption is used, but it is not FIPS validated)
  • Continuous Monitoring: Ongoing system monitoring is critical for detecting and responding to cybersecurity incidents in real time.

By requiring full implementation of these critical items, the Final Rule ensures that foundational security measures are in place, reducing vulnerabilities that could expose government data to risks.

Meeting Minimum Score Requirements with a POA&M

To be eligible for Conditional CMMC Status, contractors must achieve a minimum assessment score. For CMMC Level 2, this score is set at 80% of the total 110 security requirements in NIST SP 800-171 Rev. 2. Meeting this minimum score is essential to obtaining Conditional Status, alongside implementing all critical controls and placing permissible “NOT MET” items in a POA&M.

The 80% threshold provides a balanced approach, allowing contractors to work on resolving minor deficiencies while still achieving compliance. However, it’s essential to remember that all items in the POA&M must be addressed within the 180-day closeout window to achieve Final Status.

Steps for Effective POA&M Management

Successfully managing POA&Ms is key to achieving CMMC compliance. Here are some best practices for keeping your POA&M on track:

  1. Develop Detailed Remediation Plans: Each “NOT MET” item should have a specific remediation plan with actionable steps, resources, and assigned personnel.
  2. Set Realistic Milestones: Establish clear milestones to keep remediation on schedule. This is critical for ensuring the 180-day closeout timeline is met.
  3. Regular Progress Reviews: Monitor progress on POA&M items with regular check-ins. Monthly or bi-weekly reviews can help keep remediation efforts on track.
  4. Prepare for Closeout Assessments: Make sure all documentation and evidence are ready for the closeout assessment. Ensure that each completed item meets CMMC requirements and is easily accessible for assessors.
  5. Use Compliance Tools: Use project management or compliance tools to track and manage POA&M items. This can streamline the process, provide clear accountability, and help avoid last-minute issues.

The Bottom Line: Staying Compliant with POA&Ms Under CMMC

The CMMC Final Rule has set a clear structure around the use of POA&Ms, enabling contractors to work towards compliance while meeting contract eligibility requirements. Understanding the rules and timelines for POA&M closeout is critical. By following these guidelines, contractors can successfully transition from Conditional to Final Status, safeguard sensitive data, and secure ongoing eligibility for DOD contracts.

How Alluvionic Can Help with Your CMMC Journey

Navigating CMMC compliance can be complex, but Alluvionic is here to simplify the process. As a Cyber-AB Registered Practitioner Organization (RPO), we provide expertise and guidance to help contractors achieve and maintain CMMC compliance, from managing POA&Ms to conducting closeout assessments. Let us help you stay competitive and compliant in the evolving cybersecurity landscape.

Read more about the final rule or contact us today to discuss how we can support your organization’s journey to CMMC compliance and beyond.

About the Author

Roberto Padilla Jr., Information Security Director at Alluvionic, is a decorated IT and cybersecurity leader with over 25 years of experience managing enterprise systems, network operations, and large-scale IT projects. A retired U.S. Air Force veteran with advanced certifications, he excels in safeguarding assets, driving innovation, and leading cross-functional teams to deliver mission-critical results.

A headshot of a man in a dark blazer and white collared shirt, smiling.
Roberto Padilla Jr. brings over 25 years of expertise to his role at Alluvionic.
Articles & News

Contact Us

authorized-training-partner_large
pmi_logo_ogShare
US Marshal Department of Justice
US Department of Homeland Security
US Department of Defense
Army Logo
Emblem_of_the_United_States_Navy
Seal_of_the_United_States_Space_Force
Seal_of_the_U.S._Department_of_the_Air_Force
SBA _8(a)
SBA_WOSB
SBA_EDWOSB
Untitled design (3)
WBE_Seal_CMYK (2)
IBM_logo®_pos_blue60_RGB
GSA-Logo
CMMIin
sewp-1
8(a) STARS III Logo
smartsheet
CyberAB-RPO-Badge-2022-Transparent-BG
isaca
ISO Logo_Alluvionic
230302-F-F3456-0011
NIWC_Atlantic_Logo
© 2024 Alluvionic

PMI®, PMP®, CAPM® and PMBoK® are registered marks of the Project Management Institute

NAICS Codes: 541611, 541330, 541511, 541512 ,541519, 541613, 541614, 541618, 541990, 561990, 611420, 611430, 813910, 813920

Main Menu
Start Your Project

DOWNLOAD OUR PROJECT ASSURANCE® CHECKLIST

Fill out the form below to access our checklist that will ensure your project's success!