Home Compliance StandardsCMMC The Role of POA&Ms in CMMC Compliance and Certification
CMMC

The Role of POA&Ms in CMMC Compliance and Certification

by RSI Security
written by RSI Security
The-Role-of-Plans-of-Action-and-Milestones.png

The Role of POA&Ms in CMMC Compliance and Certification

Defense contractors pursuing preferred status and sustained U.S. government work must achieve and maintain CMMC certification. One of the most impactful updates to the Cybersecurity Maturity Model Certification (CMMC) is the inclusion of Plans of Action and Milestones (POA&Ms). These give organizations a path to conditional certification—if they understand when and how to use them.

Is your organization ready for CMMC certification? Schedule a consultation with RSI Security to find out.

 

What is a CMMC POA&M, and How Does It Work?

A Plan of Action and Milestones (POA&M) allows organizations that fall short on a limited number of specific controls to achieve conditional certification. To qualify, they must demonstrate both compliance with most requirements and a clear plan to remediate deficiencies quickly.

Understanding POA&Ms in CMMC requires looking at:

  • The context behind CMMC and the introduction of POA&Ms
  • The purpose and requirements of a POA&M
  • How POA&Ms apply differently across CMMC Level 2 and Level 3

 

Regulatory Context for CMMC and POA&Ms

The Department of Defense (DoD) launched the CMMC program in 2020 to strengthen cybersecurity across the Defense Industrial Base (DIB). Initially, the model had five maturity levels and complex requirements. In 2023, CMMC 2.0 streamlined the program into three levels and simplified assessments.

POA&Ms were introduced to help organizations that meet most requirements but miss a few critical ones. They allow for conditional compliance, with the expectation that deficiencies will be remediated within a set timeframe. This change balances rigorous security standards with realistic contractor capabilities.

 

POA&Ms Explained: Plan of Action and Milestones 101

POA&Ms apply primarily at CMMC Level 2 or higher. To qualify, organizations (OSAs) must:

  • Achieve a minimum aggregate score of 0.8 or greater on their assessment
  • Avoid missing any controls worth 1 point (except SC.L2-3.13.11, cryptographic protection of CUI, under specific conditions)
  • Create a customized POA&M outlining remediation steps
  • Undergo a POA&M closeout assessment within 180 days to validate corrective action

There is no single plan of action and milestones template. Instead, each POA&M must be tailored to the organization’s deficiencies and approved by a C3PAO or DIBCAC assessor.

 

Applicability of POA&Ms by CMMC Level

Level 1: Not Eligible for POA&Ms

Organizations conducting self-assessments at Level 1 are not eligible for conditional certification via POA&Ms.

 

Level 2: POA&Ms for Controlled Unclassified Information (CUI)

At Level 2, POA&Ms may be applied if the organization meets an 80% score and all non-negotiable requirements such as:

    • AC.L2-3.1.20: Secure external connections for CUI
  • CA.L2-3.12.4: Documented system security plans
  • PE.L2-3.10.3–5: Physical access safeguards for CUI systems

 

Level 3: POA&Ms for High-Security Requirements

At Level 3, eligibility requires meeting critical controls such as:

  • IR.L3-3.6.1e: SOC controls
  • RA.L3-3.11.6e: Supply chain risk response
  • SI.L3-3.14.3e: Specialized asset security management

 

POA&M Closeout Assessment Requirements

Conditional CMMC status lasts only 180 days. Within that period, organizations must complete a closeout assessment to confirm all deficiencies are corrected. The process varies by level:

  • Level 2 (self-assessment): Conducted internally for eligible organizations
  • Level 2 (C3PAO): Must be closed out by the same C3PAO
  • Level 3: Government-led closeout via DIBCAC

 

Broader Requirements for CMMC Certification

POA&Ms don’t replace the full requirements of CMMC compliance:

  • Level 1: 15 controls, protecting FCI, assessed annually via self-assessment
  • Level 2: 110 controls from NIST SP 800-171, protecting FCI and CUI, assessed by self or C3PAO
  • Level 3: 134 controls, combining Level 2 with NIST SP 800-172, assessed triennially by DIBCAC

 

Streamline Your CMMC Certification

POA&Ms make it possible for near-compliant organizations to stay competitive while fixing gaps. By leveraging this program, defense contractors can earn conditional certification and transition to full compliance within 180 days.

RSI Security helps organizations achieve and maintain CMMC certification at all levels, whether through POA&M or standard compliance. Our experts guide you through planning, implementation, and official assessments as a Certified Third-Party Assessor Organization (C3PAO).

Get a clear roadmap to CMMC compliance, download our CMMC checklist and prepare for certification with confidence.

 

Download Our CMMC Checklist


 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Who Can Decontrol CUI?

March 12, 2024

What is CUI? Basic Concepts Explained

April 30, 2025

Breaking Down the DoD Mandatory CUI Training

May 23, 2023

What is CUI Specified?

March 20, 2023

How to Respond to an Advanced Persistent Threat

April 1, 2021

Integrating NIST Incident Response and DoD Compliance

May 21, 2023

A Beginner’s Guide to the CMMC 2.0 Requirements

April 2, 2024

The Economic Impact of CMMC Compliance on Small...

February 5, 2025

What are the CMMC 2.0 Certification Requirements?

November 13, 2024

Overview of CMMC Level 2 Requirements

December 11, 2020

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More