Plan of Action & Milestones

The term “POA&M” gets used loosely in CMMC conversations, but it refers to two distinct documents with different purposes and different consequences. Confusing them is one of the most common mistakes in assessment preparation.

The Two POA&Ms

1. Operational Plan of Action (Internal)

Required by CA.L2-3.12.2. This is your internal, living document that tracks temporary deficiencies — issues you’ve discovered and are actively remediating. You define the format: spreadsheet, GRC tool, ticketing system, database.

What goes here: Temporary deficiencies — problems that arose after a control was implemented. A FIPS-validated module that needs a patch. A logging gap discovered during a quarterly review. A configuration drift caught by a compliance scan. A vulnerability identified in your monthly scan that hasn’t been remediated yet.

What does NOT go here: Controls you haven’t implemented yet. “We plan to deploy MFA next quarter” is not a temporary deficiency — it’s an unimplemented requirement. The operational plan of action is not a roadmap for initial implementation.

Assessment impact: Items properly documented in the operational plan of action — with deficiency reviews, milestones, and evidence of progress — are assessed as MET per 32 CFR § 170.24(b)(1)(ii). This is a critical point: a temporary deficiency tracked in your operational plan of action does not generate a NOT MET finding.

The Critical Distinction

A temporary deficiency (scored MET) arises after a control is implemented. An unimplemented requirement (scored NOT MET) is a control that was never implemented in the first place. Your operational plan of action covers the first. The CMMC POA&M covers the second. Getting this wrong means expecting a MET finding for something that will actually be NOT MET.

2. CMMC POA&M (Assessment Output)

Created when the C3PAO assessment finds NOT MET requirements. This is not your document — it’s the formal output of the assessment process, governed by 32 CFR § 170.16.

What goes here: Requirements the assessor scored NOT MET. Only POA&M-eligible requirements can appear here. If a non-POA&M-eligible requirement is NOT MET, there is no conditional certification — you fail.

Assessment impact: The presence of a CMMC POA&M means you receive Conditional certification, not Final. The 180-day clock starts immediately.

---

The 180-Day Clock

When conditional certification is granted with a CMMC POA&M:

1. Day 0 — Conditional certification issued. The 180-day clock starts.
2. Days 1–180 — You remediate every NOT MET item on the CMMC POA&M. Implement the controls, gather evidence, prepare for verification.
3. By Day 180 — The C3PAO conducts a closeout assessment verifying every POA&M item is now MET.
4. If all items close — Conditional status upgrades to Final Level 2 (C3PAO). Certification is valid for three years with annual affirmations.
5. If items remain open at Day 180 — Certification is revoked. You must start a new assessment.

There is no extension mechanism. 180 days is a hard deadline. Plan your remediation timeline aggressively and build in buffer — if you’re planning to close items at Day 175, you have no room for delays.

---

POA&M Eligibility

The rules are precise. Per 32 CFR § 170.21(a)(2):

Only 1-point requirements can be on the CMMC POA&M. No 3-point or 5-point requirement is eligible — with one narrow exception. If any 3-point or 5-point requirement is NOT MET, you cannot receive conditional certification.

The one exception: SC.L2-3.13.11 (CUI Encryption) can be on the POA&M if encryption exists but isn’t FIPS-validated — which is scored as a 3-point deduction rather than 5. If no encryption is employed at all, it’s 5 points and cannot be on the POA&M.

The 80% threshold: Your score must be at least 88 out of 110 to qualify for conditional certification. Even if all your NOT MET items are 1-point requirements, too many of them will push you below 88.

Additionally, 32 CFR § 170.21(a)(2)(iii) names specific requirements that can never be on a POA&M regardless of point value — including IA.L2-3.5.3 (MFA).

Every requirement page in this reference shows POA&M eligibility at the bottom. When planning your readiness timeline: all 5-point and 3-point requirements must be fully MET before scheduling your assessment. The 1-point requirements are your only conditional certification runway.

---

What Makes a Good POA&M Entry

Whether operational or CMMC, every POA&M entry needs the same elements. A vague entry is almost as bad as no entry.

Required elements for each entry:

• Finding description — What specific deficiency exists? Not “improve access controls” but “three service accounts in Entra ID lack documented owners and quarterly review.”
• Affected requirement — The CMMC practice ID (e.g., AC.L2-3.1.1).
• Severity — Risk-based rating that drives prioritization.
• Named owner — A person, not a department. “John Smith, IT Security Lead” — not “IT Department.”
• Specific remediation steps — Not “implement MFA” but “configure Conditional Access policy (week 1), enable for admin accounts (week 2), pilot with CUI users (week 3), roll out to all users (week 4), verify compliance (week 5).”
• Milestones with dates — Measurable checkpoints with specific target dates.
• Resources — Budget, people, and tools allocated to the remediation.
• Current status — Updated regularly. “In progress — Conditional Access policy configured, admin enforcement active, user rollout begins next Monday.”

---

Managing Your Operational Plan of Action

This is the document that keeps you at MET for temporary deficiencies. Manage it poorly and temporary deficiencies become NOT MET findings.

Review cadence. Monthly at minimum. The IT Security Lead reviews every open item: Is progress being made? Are milestones being hit? Do any items need escalation or revised timelines?

Evidence of progress. The assessor will check that your operational plan of action shows active management — not a list of items that have been sitting unchanged for months. Each item should have dated status updates showing movement toward closure.

Closure verification. When an item is remediated, document the closure evidence: what was done, when, by whom, and how you verified the fix works. Closed items should be archived, not deleted — the assessor may ask to see recently closed items as evidence that your process works.

Connection to other processes. Your operational plan of action should be fed by multiple sources: vulnerability scans (3.11.2), self-assessments (3.12.1), incident lessons learned (3.6.3), security advisory responses (3.14.3), and continuous monitoring (3.12.3). If it’s only updated during annual assessment prep, it’s not a living document.

---

Common Mistakes

Confusing the two POA&Ms. Treating the operational plan of action as a place to park unimplemented requirements. Remember: operational plan of action = temporary deficiencies (scored MET). CMMC POA&M = NOT MET findings from assessment (triggers conditional certification).

Empty POA&M. An operational plan of action with zero items is suspicious — every organization discovers temporary deficiencies through scans, reviews, and operations. An empty document suggests you’re either not looking for problems or not documenting them.

Stale entries. Items with target dates that passed months ago and no status updates. This tells the assessor your plan of action is not being managed. Review monthly and update every entry.

Vague remediation steps. “Fix the problem” is not a remediation plan. Break actions into specific, assignable steps with measurable milestones.

Planning to rely on the CMMC POA&M. Some companies intentionally plan to receive conditional certification and remediate within 180 days. This is risky: 180 days goes fast, the closeout assessment costs additional C3PAO time and money, and some requirements are not eligible for POA&M at all. The better strategy: aim for Final certification and treat any NOT MET as an unexpected setback, not a planned outcome.