Home Compliance StandardsCMMC The Role of POA&Ms in CMMC Compliance and Certification
CMMC

The Role of POA&Ms in CMMC Compliance and Certification

by RSI Security
written by RSI Security
cmmc compliance
Defense contractors aiming for preferred status and long-term U.S. government contracts must achieve and maintain CMMC compliance. A key update in the Cybersecurity Maturity Model Certification (CMMC) is the introduction of Plans of Action and Milestones (POA&Ms). POA&Ms provide organizations with a structured path to conditional CMMC compliance, helping them address control gaps effectively when applied correctly.


What Is a POA&M in CMMC and How Does It Work?

A Plan of Action and Milestones (POA&M) is a key tool that helps organizations achieve conditional CMMC certification when they fall short on a few specific cybersecurity controls. To qualify, organizations must demonstrate compliance with most requirements and provide a clear plan to quickly remediate any deficiencies.

To fully understand the role of POA&Ms in CMMC compliance, it’s important to consider:

  • The background of CMMC and why POA&Ms were introduced
  • The purpose and detailed requirements of a POA&M
  • How POA&Ms are applied differently across CMMC Level 2 and Level 3


Regulatory Context for CMMC and POA&Ms

The Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) program in 2020 to strengthen cybersecurity across the Defense Industrial Base (DIB). Originally, CMMC included five maturity levels with complex requirements, which posed challenges for many contractors.

In 2023, CMMC 2.0 simplified the program to three levels and streamlined assessments. Alongside these changes, Plans of Action and Milestones (POA&Ms) were introduced to support organizations that meet most requirements but fall short on a few critical controls. POA&Ms provide a path to conditional compliance, ensuring that deficiencies are addressed within a specified timeframe. This approach balances strict cybersecurity standards with practical contractor capabilities.

Request a Free Consultation


POA&Ms Explained: Plan of Action and Milestones 101

Plans of Action and Milestones (POA&Ms) primarily apply at CMMC Level 2 or higher. They provide organizations a structured method to achieve conditional certification while addressing gaps in compliance. To qualify for a POA&M, organizations (OSAs) must:

  • Achieve a minimum aggregate score of 0.8 or higher on their CMMC assessment
  • Avoid missing any critical controls worth 1 point, except for SC.L2-3.13.11 (cryptographic protection of CUI) under specific conditions
  • Create a customized POA&M that clearly outlines remediation steps for each deficiency
  • Complete a POA&M closeout assessment within 180 days to verify that corrective actions have been implemented

There is no one-size-fits-all POA&M template. Each POA&M must be tailored to an organization’s specific compliance gaps and approved by a Certified Third-Party Assessor Organization (C3PAO) or DIBCAC assessor.


Applicability of POA&Ms by CMMC Level

Level 1: Not Eligible for POA&Ms

Organizations conducting self-assessments at CMMC Level 1 are not eligible for conditional certification via POA&Ms. Level 1 focuses on basic security controls for Federal Contract Information (FCI), assessed annually through self-assessment.


Level 2: POA&Ms for Controlled Unclassified Information (CUI)

At CMMC Level 2, organizations can use POA&Ms if they meet an 80% assessment score and satisfy all non-negotiable requirements, including:

  • AC.L2-3.1.20: Secure external connections for CUI
  • CA.L2-3.12.4: Documented system security plans
  • PE.L2-3.10.3–5: Physical access safeguards for CUI systems
Level 3: POA&Ms for High-Security Requirements

For CMMC Level 3, eligibility for POA&Ms requires meeting critical controls, such as:

  • IR.L3-3.6.1e: SOC controls
  • RA.L3-3.11.6e: Supply chain risk response
  • SI.L3-3.14.3e: Specialized asset security management
POA&M Closeout Assessment Requirements

Conditional CMMC status lasts 180 days. Organizations must complete a POA&M closeout assessment within this period to confirm all deficiencies are corrected. The closeout process differs by level:

  • Level 2 (self-assessment): Conducted internally
  • Level 2 (C3PAO): Closed out by the same C3PAO
  • Level 3: Government-led closeout via DIBCAC
Broader Requirements for CMMC Certification

POA&Ms do not replace full CMMC compliance. The broader control requirements include:

  • Level 1: 15 controls for FCI, assessed annually via self-assessment
  • Level 2: 110 controls from NIST SP 800-171, protecting FCI and CUI, assessed by self or C3PAO
  • Level 3: 134 controls, combining Level 2 with NIST SP 800-172, assessed triennially by DIBCAC


Streamline Your CMMC Certification with POA&Ms

POA&Ms enable near-compliant organizations to stay competitive by addressing gaps in cybersecurity controls. By leveraging a Plan of Action and Milestones, defense contractors can earn conditional CMMC certification and move to full compliance within 180 days.

At RSI Security, we help organizations achieve and maintain CMMC certification at all levels, whether through POA&Ms or standard compliance processes. Our team of experts guides you through planning, implementation, and official assessments as a Certified Third-Party Assessor Organization (C3PAO).

Download Our CMMC Checklist 



 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Understanding the Interplay Between CMMC, NIST, and DFARS

February 24, 2025

How to Use CMMC Compliance Tools

January 24, 2026

What is the Purpose of the ISOO CUI...

January 22, 2026

The Economic Impact of CMMC Compliance on Small...

February 5, 2025

Breaking Down the DoD Mandatory CUI Training

January 23, 2026

Do You Need CMMC Certification? Here’s How to...

September 5, 2024

How to Prepare for a CMMC Assessment

April 2, 2024

Overview of CMMC Level 5 Requirements

December 16, 2020

The Top 11 Rules of Cyber Hygiene for...

January 30, 2026

What’s the Difference Between CMMC Level 4 and...

January 28, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More