Short answer: A CMMC POA&M (Plan of Action & Milestones) is a living spreadsheet that lists every NIST 800-171 control you have not yet fully implemented, the deficit's risk, the corrective action, the resources needed, and a target completion date. C3PAOs accept POA&Ms only for a defined subset of 1-point and 3-point controls — never the 5-point ones — and require closure within 180 days of assessment. Write it like an engineering ticket, not a strategy memo.
What a POA&M actually is
Under CMMC 2.0, a POA&M is the document a C3PAO uses to grant conditional Level 2 certification when you have minor gaps. You get 180 days to close the items; the C3PAO re-tests, and the certificate becomes unconditional. Without a credible POA&M, conditional certification is denied.
Required format
DoD does not mandate a specific template, but every accepted POA&M has these columns:
- Control ID (e.g. 3.5.3)
- Weakness description — one sentence in plain English
- Source — self-assessment, C3PAO finding, internal audit
- Risk level — high / medium / low (your call, document the reasoning)
- Resources required — dollars, people, tooling
- Milestones — dated checkpoints
- Scheduled completion date
- Status — ongoing / completed / risk-accepted
Which gaps can sit on a POA&M
CMMC 2.0 limits POA&M-eligible controls to a published list of lower-weight items, and even those have a cap: your SPRS score with POA&M items closed must reach at least 88 out of 110 for conditional certification. The 5-point controls (MFA, FIPS-validated crypto, audit logging, FedRAMP-equivalent CSP for CUI) are never POA&M-able — they must be fully implemented on day one.
How to write each row
Write each row as if a stranger has to execute it in 90 days.
7 mistakes that get plans rejected
- Listing a 5-point control on the POA&M (must be implemented, not deferred).
- "TBD" in the completion date column.
- Owner = "IT" instead of a named person.
- Risk level set to "low" with no justification.
- Same closure date for 30 different items (signals copy-paste).
- No milestones — just a start and end date.
- POA&M items that contradict the SSP (e.g. SSP says MFA enforced, POA&M says it's not).
Frequently asked questions
- Can I get full Level 2 certification with open POA&M items?
- No. Open POA&M items grant conditional certification only. You have 180 days to close them; failing that, certification expires and you re-assess.
- Who owns the POA&M after assessment?
- You do. The C3PAO documents which items they validated; ongoing tracking, milestone updates, and closure evidence are your responsibility.
- Do I share the POA&M with primes?
- Only when contractually required. A redacted summary (control count, target dates) is usually sufficient. The full POA&M reveals exploitable gaps and should be NDA-protected.
- What if I miss the 180-day window?
- Conditional certification lapses, you lose CMMC-required contract eligibility, and you re-engage the C3PAO for a full reassessment.
- NIST 800-171: All 110 Controls in Plain EnglishControls · 12 min read
- System Security Plan (SSP) Template for Small Defense ContractorsSSP · 11 min read
- CMMC 2.0 Cost and Timeline for Small Defense Contractors (2026)Cost & Timeline · 10 min read
- SPRS Score Explained: How DoD Sees Your NIST 800-171 PostureSPRS & Scoring · 8 min read