What is a POA&M in CMMC?

A Plan of Action and Milestones (POA&M) in CMMC is a remediation plan that allows organizations to achieve conditional certification if they fall short on a limited number of specific controls, provided they outline corrective actions and complete them within 180 days.

Which CMMC levels allow POA&Ms?

POA&Ms are not available at CMMC Level 1. They are available at Levels 2 and 3, provided the organization achieves at least an 80% score and meets critical baseline requirements.

How long do contractors have to complete POA&Ms?

Organizations granted conditional CMMC certification with a POA&M have 180 days to remediate deficiencies and complete a closeout assessment to achieve full compliance.

The Role of POA&Ms in CMMC Compliance and Certification

RSI Security

3 weeks ago

The Role of POA&Ms in CMMC Compliance and Certification

Defense contractors pursuing preferred status and sustained U.S. government work must achieve and maintain CMMC certification. One of the most impactful updates to the Cybersecurity Maturity Model Certification (CMMC) is the inclusion of Plans of Action and Milestones (POA&Ms). These give organizations a path to conditional certification—if they understand when and how to use them.

Is your organization ready for CMMC certification? Schedule a consultation with RSI Security to find out.

What is a CMMC POA&M, and How Does It Work?

A Plan of Action and Milestones (POA&M) allows organizations that fall short on a limited number of specific controls to achieve conditional certification. To qualify, they must demonstrate both compliance with most requirements and a clear plan to remediate deficiencies quickly.

Understanding POA&Ms in CMMC requires looking at:

The context behind CMMC and the introduction of POA&Ms
The purpose and requirements of a POA&M
How POA&Ms apply differently across CMMC Level 2 and Level 3

Regulatory Context for CMMC and POA&Ms

The Department of Defense (DoD) launched the CMMC program in 2020 to strengthen cybersecurity across the Defense Industrial Base (DIB). Initially, the model had five maturity levels and complex requirements. In 2023, CMMC 2.0 streamlined the program into three levels and simplified assessments.

POA&Ms were introduced to help organizations that meet most requirements but miss a few critical ones. They allow for conditional compliance, with the expectation that deficiencies will be remediated within a set timeframe. This change balances rigorous security standards with realistic contractor capabilities.

POA&Ms Explained: Plan of Action and Milestones 101

POA&Ms apply primarily at CMMC Level 2 or higher. To qualify, organizations (OSAs) must:

Achieve a minimum aggregate score of 0.8 or greater on their assessment
Avoid missing any controls worth 1 point (except SC.L2-3.13.11, cryptographic protection of CUI, under specific conditions)
Create a customized POA&M outlining remediation steps
Undergo a POA&M closeout assessment within 180 days to validate corrective action

There is no single plan of action and milestones template. Instead, each POA&M must be tailored to the organization’s deficiencies and approved by a C3PAO or DIBCAC assessor.

Applicability of POA&Ms by CMMC Level

Level 1: Not Eligible for POA&Ms

Organizations conducting self-assessments at Level 1 are not eligible for conditional certification via POA&Ms.

Level 2: POA&Ms for Controlled Unclassified Information (CUI)

At Level 2, POA&Ms may be applied if the organization meets an 80% score and all non-negotiable requirements such as:

- AC.L2-3.1.20: Secure external connections for CUI

CA.L2-3.12.4: Documented system security plans
PE.L2-3.10.3–5: Physical access safeguards for CUI systems

Level 3: POA&Ms for High-Security Requirements

At Level 3, eligibility requires meeting critical controls such as:

IR.L3-3.6.1e: SOC controls
RA.L3-3.11.6e: Supply chain risk response
SI.L3-3.14.3e: Specialized asset security management

POA&M Closeout Assessment Requirements

Conditional CMMC status lasts only 180 days. Within that period, organizations must complete a closeout assessment to confirm all deficiencies are corrected. The process varies by level:

Level 2 (self-assessment): Conducted internally for eligible organizations
Level 2 (C3PAO): Must be closed out by the same C3PAO
Level 3: Government-led closeout via DIBCAC

Broader Requirements for CMMC Certification

POA&Ms don’t replace the full requirements of CMMC compliance:

Level 1: 15 controls, protecting FCI, assessed annually via self-assessment
Level 2: 110 controls from NIST SP 800-171, protecting FCI and CUI, assessed by self or C3PAO
Level 3: 134 controls, combining Level 2 with NIST SP 800-172, assessed triennially by DIBCAC

Streamline Your CMMC Certification

POA&Ms make it possible for near-compliant organizations to stay competitive while fixing gaps. By leveraging this program, defense contractors can earn conditional certification and transition to full compliance within 180 days.

RSI Security helps organizations achieve and maintain CMMC certification at all levels, whether through POA&M or standard compliance. Our experts guide you through planning, implementation, and official assessments as a Certified Third-Party Assessor Organization (C3PAO).

Get a clear roadmap to CMMC compliance, download our CMMC checklist and prepare for certification with confidence.