All About POA&Ms: Supporting CMMC Compliance Efforts
- David Sutherin
- Aug 26, 2025
- 4 min read
For many, the road to CMMC is challenging, and not every requirement may be fully in place on assessment day. Fortunately, that’s where POA&Ms come in. Make no mistake—POA&Ms are not a free pass. They’re a tightly-governed tool designed to help organizations close the gap on specific, lower-impact requirements when nearly all others are already met.
In this post, we’ll dig into what organizations need to know about CMMC POA&Ms, how they can be used, and where companies need to be extra cautious.
TL;DR – Key Points about POA&Ms
|
What Are POA&Ms and Why They Matter for CMMC
At their core, Plans of Action & Milestones (POA&Ms)—pronounced POH AM—are implementation plans for any unmet requirements discovered during a CMMC assessment. POA&Ms outline planned remediation steps, assign ownership, and set deadlines. Think of them as your compliance task list—but with regulatory oversight.
Their value lies in providing a formalized process for moving forward even when a few minor gaps exist, while still maintaining DoD trust. As part of a CMMC Level 2 assessment, a company may be designated a “Conditional Level 2” status for CMMC compliance when there are minor compliance issues that do not broadly impact the organization’s overall security, and where the organization has developed a clear, time-bound strategy for closing gaps through POA&Ms.
POA&Ms demonstrate accountability and progress; they do not excuse poor security.
POA&Ms in Context: Levels and Limits
The DoD’s allowance for POA&Ms varies by CMMC level. At Level 1, there’s zero tolerance for gaps: all 15 practices must be implemented, period.
At Level 2, there’s limited flexibility. Companies must have at least 80% of practices (88 out of 110) scored as “met” in order to qualify for Conditional Status. Only then can POA&Ms be used, and only for lower-impact controls.
Level 3 maintains the same 80% threshold but tightens restrictions on what can be deferred.
What Can—and Cannot—Be Deferred
Per 32 CFR 170.21, POA&Ms cannot be used to delay high-impact or foundational security practices. This means certain controls must be in place before certification is possible. In fact, the CMMC Assessment Process (CAP) requires assessors to verify organizations have sufficient coverage of the CMMC requirements before they can even start a Level 2 assessment. Examples of practices which cannot be deferred include implementing multifactor authentication, establishing boundary protections, controlling external connections, and maintaining physical access logs in CUI areas.
Similarly, Level 3 prohibits deferral of practices like employing a security operations center (SOC), performing threat-informed risk assessments, and securing specialized assets. Level 3 requirements are assessed separately from Level 2 requirements, and an organization cannot undergo a Level 3 assessment if they have outstanding POA&Ms from Level 2 (32 CFR 170.24(c)(3)).
POA&Ms may include less critical, one-point controls—often documentation or review-based tasks. For example, a missed periodic access review or incomplete written procedure might be deferred if the core technology and protections are in place. Even then, these items come with strict conditions: they must be documented, time-bound, and verified within 180 days.
Key Callouts
The following are some key callouts related to practices’ eligibility for inclusion in a POA&M.
CMMC Level | Practices INELIGIBLE for POA&M |
Level 1 | No POA&M permitted at Level 1 |
Level 2 | In addition to all Level 1 practices, the following point requirements are ineligible for inclusion in a POA&M: · AC.L2-3.1.20 (External Connections) · AC.L2-3.1.22 (Control Public Information) · PE.L2-3.10.3 (Escort & Monitor Visitor Activity) · PE.L2-3.10.4 (Maintain Physical Access Logs) · PE.L2-3.10.5 (Manage Physical Access Devices) · CA.L2-3.12.4 (System Security Plan) · SC.L2-3.13.11 (FIPS-validated Cryptography for CUI)* * A POA&M is permitted if cryptographic mechanisms are in use, but those mechanisms aren’t FIPS-validated (32 CFR 170.21(a)(2)(ii)) |
Level 3 | In addition to the ineligible practices from Level 2: · IR.L3-3.6.1e (Security Operations Center) · IR.L3-3.6.2e (Cyber Incident Response Team) · RA.L3-3.11.1e (Threat-Informed Risk Assessment) · RA.L3-3.11.6e (Supply Chain Risk Response) · RA.L3-3.11.7e (Supply Chain Risk Plan) · RA.L3-3.11.4e (Security Solution Rationale) · SC.L2-3.13.11 (FIPS-validated Cryptography for CUI)** · SI.L3-3.14.3e (Specialized Asset Security) ** At Level 3, a POA&M is not permitted for cryptography that isn’t FIPS-validated |
For more information, download our full list of CMMC Level 2 practice POA&M eligibility (and corresponding scores).
POA&Ms vs. Quick Fixes
During an assessment, some findings are simple enough to resolve on the spot—such as updating antivirus signatures or expiring user credentials. These don’t require a formal plan and can be resolved before the assessment closeout through the “security requirement re-evaluation” process (32 CFR 170.17(c)(2)), though they are very limited and at the discretion of the assessor. POA&Ms are reserved for requirements that need additional work and oversight beyond the audit window.
The 180-Day Clock and Closeout
Once Conditional Status is granted, the timer starts. Organizations have 180 days to address all POA&M items and undergo a Closeout Assessment. At Level 2, this may involve your own team (for self-assessments) or a C3PAO. At Level 3, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) takes the lead.
Failure to resolve any outstanding POA&Ms within the 180-day timeframe means losing certification—a costly setback for any business.
Strategic Use of POA&Ms
The smart contractor views POA&Ms not as a crutch but as a tool for prioritization. By understanding what can and cannot be deferred, teams can focus resources on controls that must be in place by audit day, while planning remediation for lower-impact gaps. This clarity reduces stress, improves resource allocation, and builds a culture of continuous improvement that benefits security posture long after certification.
Key Takeaways
POA&Ms are a sign of accountability, not weakness. Used correctly, they keep implementation on track without undermining foundational security. The lesson: know the rules, prioritize high-impact controls, and treat POA&Ms as temporary, monitored commitments.
Download our full list of CMMC practice POA&M eligibility:
