POA&M Management for CMMC: What Defense Contractors Get Wrong (and How to Get It Right)

Let me tell you what happens when a defense contractor treats their Plan of Action and Milestones like a parking lot for problems they don't want to deal with.

I watched a 45-person engineering firm lose a $3.2 million subcontract last year because they assumed their POA&M would buy them unlimited time. They had seven open items — three of which weren't even eligible for POA&M treatment under 32 CFR 170. Their Conditional Level 2 status expired. The prime moved on.

After 30 years in cybersecurity and as a CIO who has shepherded organizations through every phase of CMMC compliance, I can tell you this: the POA&M is the single most misunderstood document in the CMMC ecosystem. It's not a safety net. It's a structured commitment with hard deadlines, strict eligibility rules, and real consequences for failure.

With CMMC Phase 2 assessments ramping up through 2026, your POA&M strategy can be the difference between maintaining contract eligibility and watching competitors take your work. This guide covers everything you need to know to get it right.

What Is a POA&M in the CMMC Context?

A Plan of Action and Milestones is a formal document that identifies specific security requirements your organization has not yet met, along with the concrete steps, responsible parties, resources, and deadlines for closing those gaps.

POA&Ms have been a staple of federal cybersecurity for decades — they're referenced throughout NIST Special Publications and FISMA requirements. But in the CMMC world, they operate under much tighter constraints than most contractors realize.

Under the CMMC Final Rule (32 CFR Part 170, §170.21), a POA&M is not a general remediation plan you can create at will. It's a specific mechanism that allows your organization to achieve a Conditional CMMC status while you close out a limited number of deficiencies — subject to strict eligibility criteria and a hard 180-day closeout window.

Think of it this way: a POA&M is a probationary license, not a learner's permit. You've demonstrated that you meet the vast majority of requirements, and you've earned a narrow window to finish the job.

The Rules: What 32 CFR 170.21 Actually Says

Let's cut through the confusion and lay out the regulatory framework. These aren't guidelines or best practices — they're enforceable rules.

Level 1: No POA&Ms. Period.

If your organization only requires CMMC Level 1 (handling Federal Contract Information but not CUI), there is no POA&M option at any time. You either meet all 17 practices or you don't. Full stop.

This catches many small contractors off guard. They assume they'll get some remediation runway. They won't.

Level 2: Strict Eligibility Criteria

For Level 2 (both self-assessment and C3PAO certification), you can achieve a Conditional status with open POA&M items only if all three conditions are met:

1. The 80% Threshold

Your assessment score divided by the total number of Level 2 security requirements must be greater than or equal to 0.80. With 110 NIST SP 800-171 Rev 2 controls, that means you need to demonstrate compliance with at least 88 requirements on assessment day.

This isn't a suggestion. Score below 88, and you don't qualify for Conditional status at all — regardless of how minor your remaining gaps are.

2. Point Value Restrictions

POA&M items are only permitted for controls with a point value of 1 point in the CMMC Scoring Methodology (§170.24). Controls worth 3 or 5 points cannot be placed on a POA&M.

There is one exception: SC.L2-3.13.11 (CUI Encryption) can be placed on a POA&M if encryption is employed but is not yet FIPS-validated. In that case, the point reduction is 3 instead of the full 5.

3. Excluded Controls — Never POA&M-Eligible

Even among 1-point controls, the following are explicitly prohibited from POA&M treatment at Level 2:

The logic behind these exclusions is sound: these controls either directly protect CUI from exposure, form the documentation foundation for the entire program (the SSP), or address physical security basics that should already be in place before any assessment.

Level 3: Additional Exclusions

For organizations pursuing Level 3 certification (assessed by DCMA DIBCAC), the same 80% threshold applies, plus seven additional controls are excluded from POA&M eligibility — including requirements for a Security Operations Center, Cyber Incident Response Team, and supply chain risk management capabilities.

The 180-Day Clock: No Extensions, No Exceptions

Here's where contractors get into the most trouble. Once you receive a Conditional CMMC status, you have exactly 180 days to close out every POA&M item and complete a closeout assessment.

Not 181 days. Not "roughly six months." Exactly 180 days from the Conditional CMMC Status Date.

If the POA&M is not successfully closed out within that window, your Conditional status expires. Not "downgrades." Not "gets extended." Expires.

The closeout assessment depends on your level:

• Level 2 Self-Assessment: You perform the closeout in the same manner as your initial self-assessment.
• Level 2 C3PAO Certification: The same C3PAO (or another authorized one) must perform the closeout assessment — which may require another on-site visit.
• Level 3: DCMA DIBCAC performs the closeout.

For C3PAO-assessed organizations, factor in the scheduling reality. C3PAOs are in high demand. If you wait until month four to start remediation, you may not be able to schedule the closeout assessment before your 180 days run out.

My recommendation: begin POA&M remediation on day one. Treat the 180-day window as a 120-day window, leaving 60 days of buffer for scheduling the closeout assessment and handling any surprises.

The Five POA&M Mistakes That Kill Contracts

Over three decades of compliance work, I've seen the same patterns destroy organizations' CMMC ambitions. Here's what to watch for.

Mistake 1: Treating POA&Ms as a Catch-All

Some contractors enter their assessment with a strategy of "we'll just POA&M whatever we fail." This is catastrophic for two reasons: (a) you might not meet the 80% threshold, and (b) many of your failures may involve controls that can't be placed on a POA&M.

Fix: Complete a thorough gap analysis 6-12 months before your assessment. Identify every unmet control, determine its point value and POA&M eligibility, and remediate everything you can before assessment day.

Mistake 2: Vague Remediation Plans

"We will implement multi-factor authentication" is not a POA&M entry. An assessor will reject it — and they should. Effective POA&M entries include specific technical actions, responsible individuals, procurement requirements, interim milestones, and realistic completion dates.

Fix: Every POA&M entry should answer: What exactly will we do? Who owns it? What resources are needed? What are the interim checkpoints? When will it be complete? What evidence will demonstrate closure?

Mistake 3: Ignoring Resource Requirements

A POA&M that requires a $50,000 SIEM deployment but doesn't account for budget approval, procurement timelines, or implementation resources isn't a plan — it's a wish list.

Fix: Validate that every POA&M item has allocated budget, assigned personnel, and realistic timelines that account for procurement, implementation, testing, and evidence collection.

Mistake 4: No Tracking or Accountability

Too many organizations create a POA&M, file it, and forget it until the closeout date approaches. Without regular status reviews, items slip, owners change roles, and suddenly you're at day 150 with three open items and no path to closure.

Fix: Establish a recurring POA&M review cadence — at minimum monthly, ideally biweekly. Assign an executive sponsor with authority to remove blockers and hold owners accountable.

Mistake 5: Not Planning the Closeout Assessment

For C3PAO assessments, the closeout isn't just a checkbox. It's a separate assessment that requires scheduling, evidence preparation, and potentially another site visit. Organizations that don't plan for this from day one often find themselves in a scheduling crunch.

Fix: Contact your C3PAO within the first 30 days of Conditional status to tentatively schedule the closeout assessment window. Work backward from that date to set your remediation deadlines.

Building a POA&M That Assessors Respect

A well-structured POA&M demonstrates maturity and seriousness. Here's the anatomy of a POA&M entry that will survive assessor scrutiny.

Required Elements Per 32 CFR 170

Each POA&M entry must include:

• The specific NIST SP 800-171 control (requirement number and description)
• The responsible party (named individual, not a department)
• Planned remediation actions (specific, technical, measurable)
• Start date and target completion date
• Milestones with interim completion dates
• Actual actions taken (updated as work progresses)
• Current status (ongoing or complete)

My Recommended Additions

Beyond the regulatory minimum, I recommend including:

• Root cause analysis — Why isn't this control met today? Understanding the "why" prevents recurrence.
• Risk mitigation during remediation — What compensating measures are in place while the control is open?
• Evidence artifacts — What documentation will prove closure? Define this upfront so there's no ambiguity.
• Dependencies and blockers — What could prevent on-time closure? Procurement approvals, vendor timelines, personnel availability.
• Budget allocation — Confirmed funding for any required tools, services, or personnel.

Sample POA&M Entry

Here's a simplified example of what a strong POA&M entry looks like:

Control: AU.L2-3.3.1 — System Auditing

Status: NOT MET (Point Value: 1)

Responsible Party: James Rivera, IT Security Manager

Root Cause: Current logging infrastructure captures authentication events but does not log file access events on the CUI enclave file server.

Planned Actions:

1. Configure Windows Advanced Audit Policy for object access on CUI file shares (Week 1-2)
2. Deploy Wazuh SIEM agent to CUI enclave servers for log aggregation (Week 2-4)
3. Create alert rules for anomalous file access patterns (Week 4-6)
4. Validate log retention meets 90-day minimum requirement (Week 6)
5. Document procedures and update SSP (Week 7-8)

Compensating Measure: Network segmentation isolates CUI enclave; access limited to authorized users via Active Directory group policy.

Target Completion: May 15, 2026

Evidence for Closure: Screenshots of audit policy configuration, SIEM dashboard showing log collection, 30-day log sample, updated SSP section 3.3.

The Strategic Approach: Minimize POA&M Entries Before Assessment

The best POA&M strategy is to need as few entries as possible on assessment day. Here's a practical timeline:

12 Months Before Assessment

• Complete a comprehensive gap analysis against all 110 NIST SP 800-171 controls
• Identify every unmet requirement and classify by point value and POA&M eligibility
• Develop your System Security Plan if you haven't already
• Establish your security policy framework — having well-crafted, comprehensive policies in place early eliminates multiple control gaps simultaneously

9 Months Before Assessment

• Begin remediating high-point-value controls (5 and 3 points) — these cannot be placed on POA&Ms
• Address all non-POA&M-eligible controls (the six excluded controls listed above)
• Implement technical controls that require procurement or deployment time

6 Months Before Assessment

• Target remaining 1-point controls for remediation
• Begin evidence collection and documentation
• Conduct an internal mock assessment

3 Months Before Assessment

• Complete a final self-assessment scoring
• Verify you'll exceed the 88-point threshold
• For any controls you genuinely cannot close before assessment day, prepare detailed POA&M entries in advance

Assessment Day

• Present your SSP, evidence artifacts, and pre-drafted POA&M entries
• Demonstrate active management and a clear path to closure for any open items

This approach typically results in organizations entering their assessment with 0-3 POA&M items rather than scrambling to POA&M eight or ten controls.

POA&M Management as Ongoing Practice

Even after CMMC certification, mature organizations maintain a continuous POA&M process. Vulnerabilities emerge, configurations drift, and new requirements surface. A standing POA&M process — with regular reviews, executive visibility, and clear ownership — becomes part of your ongoing security operations rather than a one-time compliance exercise.

This is where having a solid policy foundation pays dividends. When your security policies clearly define roles, responsibilities, and processes for identifying and remediating gaps, POA&M management becomes an extension of how you already operate — not a separate compliance burden bolted on at assessment time.

Organizations that approach POA&M management this way don't just pass assessments. They build genuinely stronger security programs that protect the CUI they've been entrusted with — which is the whole point.

The Bottom Line

A POA&M under CMMC isn't the flexible remediation tool many contractors assume it is. It's a narrowly scoped, time-limited mechanism with hard eligibility rules and real consequences for failure.

The contractors who succeed treat POA&M management as a strategic discipline: they minimize entries through early remediation, they build detailed and actionable plans for any remaining items, and they execute against those plans from day one of their Conditional status.

The contractors who fail treat POA&Ms as a safety net for poor preparation.

Don't be the second group.

---

TalonPoint Security helps defense contractors navigate CMMC compliance with practical, no-nonsense guidance. Our PolicyPack provides the comprehensive security policy framework that eliminates documentation gaps before they become POA&M items — or worse, assessment failures. Get in touch to discuss your compliance strategy.