What Is a CMMC POA&M?

A CMMC Plan of Action and Milestones (POA&M) is a document that shows which non-critical CMMC requirements an organization has not yet met. It lists security gaps, outlines steps to resolve them, and monitors progress until the company closes all items and reaches full compliance.

POA&Ms are common throughout compliance frameworks, whether it’s SOC 2, ISO 27001, or CMMC. For CMMC, the POA&M plays a specific role: it lets contractors receive “Conditional CMMC Status” so they can continue bidding on DoD contracts while addressing non-critical gaps identified in a formal assessment.

Instead of completing a full, resource-intensive reassessment immediately, an organization can document the gaps, outline corrective actions, perform interim risk mitigation, and move toward “Final CMMC Status” within an approved timeframe. The process helps the DoD keep more contractors eligible while ensuring organizations actively close deficiencies.

Alongside a System Security Plan (SSP), a POA&M is a key document that helps organizations not only track compliance but also drive continuous improvement in their cybersecurity program.

For Scott Lumpkin, Director at Quantum AI Security, a POA&M is “more than a compliance artifact, it is a structured risk management instrument. Within the context of CMMC Level 2 and NIST SP 800-171, it provides traceability between known deficiencies, planned remediations, and accountable ownership.” 

Lumpkin adds: “There are very strong reasons to maintain a POA&M even when it’s not required for compliance. Any organization aligning with NIST SP 800-53, ISO 27001, or the NIST Risk Management Framework can use a POA&M to track weaknesses methodically. It establishes accountability and preserves institutional knowledge, which is something that tickets or spreadsheets cannot maintain over time.”

Article Summary:

A CMMC Plan of Action and Milestones (POA&M) helps defense contractors document, prioritize, and remediate cybersecurity gaps identified in an assessment. This guide explains how POA&Ms enable conditional CMMC status under CMMC 2.0, outlines required elements, and shares expert practices for tracking remediation effectively. It includes a free POA&M template and starter kit to streamline compliance.

How POA&Ms work in the new CMMC 2.0 rule

Under CMMC 2.0, companies that meet at least 80% of requirements can use a POA&M to earn Conditional CMMC Status and gain Final CMMC Status by fixing issues within 180 days. CMMC 1.0 required 100% compliance immediately and did not allow POA&Ms.

The DoD developed the CMMC framework to enforce cybersecurity standards originally established under FISMA, the Federal Information Security Management Act. In the first iteration of CMMC, companies had to meet every security control to earn certification, no matter their compliance level.

In 2024, the DoD first published the final rule for CMMC 2.0, introducing several updates to the CMMC framework. Among the changes, the DoD introduced POA&Ms and the Conditional CMMC Status option. To qualify for conditional status using a POA&M, an organization must score at least 80% on a CMMC assessment, meet all “critical controls,” and outline the way they will resolve their remaining issues with a POA&M. This option is available only for organizations seeking CMMC Level 2 or CMMC Level 3 certification.

Here are more details about how POA&Ms and conditional status work in CMMC 2.0:

• Conditional certification for Level 2 and 3
  Companies seeking Level 2 or Level 3 compliance can miss some controls and still receive conditional status if they submit a POA&M. The POA&M lists unmet requirements and the company’s remediation plan. Once approved, the company has 180 days to close out the POA&M. This allows them to continue competing for DoD contracts while addressing gaps, rather than restarting the certification process.
  
  CMMC Level 1 organizations cannot use a POA&M; they must meet all 15 controls at the time of assessment.
  
  

• 80% threshold
  Both Level 2 and Level 3 require organizations to meet at least 80% of requirements during the assessment. Then, they can use a POA&M to address any unmet requirements that are not “critical” controls. The specifics vary based on the compliance level.
  
  For Level 2, the DoD uses a weighted point system from NIST SP 800-171, where each of the 110 controls is assigned a value of 1, 3, or 5 points. Many contractors use third-party tools — often called SPRS score calculators or SPRS score generators — to automate the math, though the official method follows the NIST SP 800-171 DoD Assessment Methodology. The resulting score is submitted to the Supplier Performance Risk System (SPRS), and organizations must achieve at least 88 points (80 percent) to qualify for conditional status.
  
  For Level 3, the 80 percent minimum applies to 24 selected NIST SP 800-172 requirements, each valued at 1 point (24 points total).
  
  

• Critical controls
  “Some NIST controls are too critical to include in a POA&M, and the DoD requires that you meet these controls at the time of the assessment,” says Elliott Harnagel, Product and Compliance Strategist at Strike Graph. “The one-point controls are usually minor and exactly the kind of small, fixable issues the POA&M process is meant to cover.”
  
  For Level 2 assessments, an organization cannot include any control that’s worth more than one point. Alongside that blanket rule, several controls are worth one point but not allowed in a POA&M. These exceptions are usually related to controls that protect Controlled Unclassified Information (CUI).
  
  Examples include controls for managing public information, maintaining a system security plan, and restricting physical access. Because these controls are essential to protecting sensitive data, the DoD will not grant conditional status to any organization that fails to meet them, even if it meets other qualifications, such as receiving at least an 80% Level 2 or Level 3 assessment score.
  
  
• Time-limited POA&Ms
  According to the CMMC 2.0 rule, “All POA&Ms must be closed within 180 days of the Conditional CMMC Status Date.” In other words, the DoD gives the organization 180 days to remediate its issues and become fully compliant with all relevant CMMC requirements. If they fail, they lose their conditional status and must restart the CMMC assessment process. 
  
  
• POA&M closeout assessment
  After the company completes remediation, the closeout process depends on the type and level of assessment. In this assessment, the reviewer checks only the “NOT MET” requirements that the organization identified in their POA&M during their initial assessment. For Level 2 (Self-Assessment), the organization conducts its own closeout. For Level 2 (C3PAO), a Certified Third-Party Assessment Organization performs the closeout certification assessment. For Level 3, DCMA DIBCAC conducts the closeout assessment.
  
  

• Continuous monitoring
  The DoD requires organizations to treat the POA&M as more than a one-time checklist. Companies must track remediation progress, update documentation, and maintain evidence that they are closing gaps. Continuous monitoring shows an ongoing commitment to CMMC requirements and reassures the DoD that compliance efforts remain active after the initial assessment.
  
  

Key elements of a CMMC POA&M

Each CMMC POA&M should list the specific control, describe the issue, and explain how to fix it. It must also include the priority level, timeline, budget, and the person or team responsible for completing the corrective action.

Here's a summary of the key elements of a CMMC POA&M, straight from the National Institute of Standards and Technology (NIST), which defines the security requirements for CMMC:

• NIST control: Each row in a POA&M corresponds to a specific NIST control that the organization did not fully meet in its assessment. These controls come from NIST 800-171 or, for Level 3 organizations, from NIST SP 800-172 (e.g., 3.5.3 Multifactor Authentication).
• Owner: The person or role responsible for remediation (e.g., IT Security Manager).
• Budget: Estimated cost to implement the fix (licenses, tools, staff time).
• Timeline: Target timeframe for completion (in days or by date).
• Plan and milestones: Step-by-step actions and milestones to close the gap.
• How was the weakness identified: Describe the method you used to detect the gap (audit, vulnerability scan, penetration test, self-assessment, etc.).
• Status: Describe the current state of the plan or issue (e.g., open, in progress, complete) 
  

   

Beyond these essential data fields, Lumpkin recommends that organizations add the following data to make it fully functional for CMMC management:

• Risk impact or priority level: Ideally, an organization will perform risk assessment and prioritization to identify the most critical vulnerabilities and assign each issue a priority, such as “low,” “medium,” or “high.”
  
  “This field is important because it allows leadership to separate minor findings from those that directly affect the confidentiality of Controlled Unclassified Information (CUI) or critical business operations,” says Lumpkin.
  
  
• Evidence reference or closure criteria: In this field, the organization specifies which evidence it will use to demonstrate that it has addressed the issue. “Without this field, an assessor cannot confirm that you’ve remediated the issue during a closeout assessment,” explains Lumpkin. 
  
  

How to create a CMMC POA&M 

How to create an effective CMMC POA&M step-by-step

Follow key steps to create an effective CMMC POA&M. Identify and categorize each issue, assign responsibility, estimate resources, and set milestones. Track progress regularly, update statuses as you go, and close items only after they’re fully fixed. Document each critical step in your POA&M template.

Here’s a breakdown of the key steps Lumpkin and Harnagel recommend for creating an effective POA&M. Each step corresponds to a column in the POA&M template to help you plan, assign, and verify remediation activities in order.

1. Vulnerability identification and documentation:
   “You’ll usually identify a security gap from a self-assessment, gap assessment, or a formal assessment from a Certified Third-Party Assessment Organization,” says Lumpkin. “Each weakness should map directly to a NIST SP 800-171 control and objective.” 
2. Assign ownership:
   Identify the person responsible for addressing and updating each issue, like a security analyst. Ensure everyone involved has the authority and resources needed to carry out their assigned remediation tasks.
3. Estimate resources and funding:
   Define the cost, personnel, and any external support needed to close the item.
4. Set milestones and completion dates:
   Establish realistic, auditable deadlines that align with the organization’s risk tolerance.
5. Define evidence and closure criteria:
   Specify what documentation or verification will prove completion, such as policy updates, configuration records, or log entries.
6. Approve and baseline the POA&M:
   “Leadership should formally approve the POA&M to document accountability and compliance with DFARS 7012, the DoD requirement for protecting controlled information and reporting cyber incidents,” describes Lumpkin.
   
   “You need to get executive buy-in,” adds Harnagel. “Someone in leadership needs to support the process — ideally a compliance lead who has the authority to set priorities and budgets. The lower-level folks can identify issues, but you need someone higher up to drive timelines and get things done. Otherwise, the POA&M just becomes checkboxes on a list.”
7. Track, monitor, and update:
   Maintain version control and update progress at regular intervals. Each update must reflect the true status.
8. Verification and validation:
   Verify that you’ve completed the remediation and archive the evidence for review.
   
   

CMMC POA&M template

Download our free CMMC POA&M template to organize and track your remediation work. It includes every NIST-required field, along with expert-recommended details to make your POA&M more effective and audit-ready.

Our expert-vetted POA&M template includes a dedicated row for each security control under remediation, with key fields for budget, milestones, current status, and more. Field descriptions help teams document consistently and meet NIST reporting expectations.

Download your free POA&M template now to streamline your process, meet CMMC documentation requirements, and track your cybersecurity remediation over time.

Example of a CMMC POA&M

A complete CMMC POA&M lists each NIST security gap that needs remediation, along with details on budget, timeline, and responsible personnel. Each row corresponds to a security control under remediation. Our template includes filled-out examples to show how a finished POA&M should look.


Download our free POA&M template to see complete examples for various NIST security controls, including technical, administrative, and operational controls.

CMMC POA&M Starter Kit

Our free CMMC POA&M Starter Kit has all the resources you need in a single place. It includes a fillable POA&M template, a cheat sheet, and a best-practice guide. It gives you everything you need to create an effective plan of action, meet compliance requirements, and support continuous monitoring and compliance.

Download your free CMMC POA&M Starter Kit to put expert guidance and proven tools into action for your next remediation plan.

Best practices for managing your CMMC POA&M

Keep your POA&M in a secure location, record every update, and use consistent evidence to demonstrate progress and fixes. Keep your notes clear and concise, and review the document often. These habits help keep your POA&M audit-ready and support strong cybersecurity across your organization.

Here's a list of best practices from cybersecurity experts Lumpkin and Harnagel that will help you get the most out of your POA&M and prepare for a CMMC audit:

• Centralize your documentation:
  “Keep your POA&M in a controlled, centralized location that connects directly to your System Security Plan (SSP),” says Lumpkin. This best practice ensures that everyone involved refers to the same version, and that your POA&M aligns well with your SSP.
  
  
• Standardize evidence:
  “It’s important that you include clear proof that you’ve addressed and remediated every closed item,” stresses Lumpkin. “That evidence can include updated policies, screenshots, change tickets, or log entries.”
  
  
• Focus on clarity, not volume:
  “You don’t need to get super detailed in your POA&Ms,” says Harnagel. “The key is showing you understand the deficiency and have a plan to fix it. For example, if your access review process is weak, all you need to write is ‘We’ll improve quarterly access reviews per ISO standards,’ and assign an owner. The auditor just needs to see that you’ve identified the issue and have a plan to follow through.”
  
  He continues, “The right amount of detail depends on the issue. Technical fixes often need more explanation, but for compliance purposes, the auditor will confirm completion during the closeout assessment. The POA&M is simply your commitment to address the problem — it only needs to be specific if that helps you stay organized.”
  
  
• Maintain version control:
  Date every update and keep prior versions for reference. “Version control shows the evolution of your remediation process and helps maintain transparency during assessments,” explains Lumpkin. “Auditors should be able to see what changed, when, and why.”
  
  
• Tie it to governance:
  “Each POA&M item should tie directly to your organization’s risk register, which is the formal record of identified risks, their impact, likelihood, and mitigation plans,” says Lumpkin. This best practice ensures your remediation efforts address documented risks that leadership and security teams have already recognized.
  
  
• Maintain your POA&M even outside of compliance:
  An effective POA&M is never a one-time project. Keep it current so it always reflects your organization’s real security posture. Update it as remediation work progresses and include verifiable evidence for every closed item. A living POA&M demonstrates continuous improvement and makes audits straightforward.
  
  “If an organization is strategic, a POA&M becomes a management framework for continuous improvement,” says Lumpkin. “A mature organization uses it not just to meet a requirement, but to prioritize risk, allocate funding, and measure progress across security initiatives. It creates an executive-level view of how compliance work aligns with business and mission priorities.”
  
  
• Use AI-powered software to accelerate CMMC compliance:
  Use governance or ticketing tools that can track milestones and generate reports that are ready for audit at any time. The best tools include a POA&M manager dashboard to automate tracking, version control, and reporting.
  
  “Many organizations still manage remediation in Word documents or spreadsheets,” says Harnagel. “An integrated tracker, like those in AI-powered compliance tools such as Strike Graph, keeps controls, evidence, and timelines connected and makes audit documentation far easier to produce.”
  
  

How to Simplify and accelerate CMMC compliance with Strike Graph

Strike Graph’s all-in-one compliance platform helps you manage every part of CMMC in one place. You can outline controls, collect evidence, and track POA&Ms and remediation work seamlessly. Its AI-powered tools connect controls, evidence, and tasks to reduce manual effort, speed up compliance, and strengthen cybersecurity.

Sign up for your free 60-day access to Strike Graph and start your CMMC POA&M journey today. 

Strike Graph’s compliance software helps you manage every aspect of your CMMC process in a single, integrated dashboard. You can outline controls, collect evidence, and track POA&Ms through built-in workflows that make compliance faster, clearer, and easier to maintain. Its AI-powered tools automatically connect controls, evidence, and remediation tasks, reducing manual work and helping your team stay audit-ready. Every item links directly to the relevant NIST requirement, giving you a complete view of what is compliant, what needs work, and who is responsible.

Because every compliance program is unique, Strike Graph lets you customize your environment and reuse evidence across controls or frameworks, so your documentation process stays efficient and consistent.

Schedule a demo today to see how Strike Graph can help you move through CMMC compliance with clarity and confidence.

CMMC security plan FAQs

When are POA&Ms allowed in CMMC?
Organizations seeking CMMC Level 2 or CMMC Level 3 compliance can use a POA&M to receive conditional status for 180 days. To qualify, they must score at least 80% on the assessment and meet all critical controls that the DoD requires. 

Which CMMC controls cannot be put in a POA&M?
At Level 2, organizations cannot include controls worth more than one point, or any requirement tied to protecting Controlled Unclassified Information (CUI), in a POA&M. At Level 3, the DoD specifies seven controls that must be met at assessment.

Here's more about the CMMC controls that the DoD does not allow in a POA&M:

Level 2 :

• Security controls with a point value greater than one:
  Organizations seeking Level 2 compliance cannot include security requirements in the POA&M that have a point value of greater than 1 as specified in the CMMC Scoring Methodology. The only exception is “SC.L2-3.13.11 CUI Encryption,” which may appear on a POA&M only if encryption is implemented but not FIPS-validated (FIPS 140-3 or 140-2).
  
  
• None of the following one-point controls:
  Even though these have a point value of one, the DoD does not allow them on the Level 2 POA&M, because they consider them critical to protecting CUI. 

AC.L2-3.1.20 External Connections (CUI Data).
AC.L2-3.1.22 Control Public Information (CUI Data).
CA.L2-3.12.4 System Security Plan.
PE.L2-3.10.3 Escort Visitors (CUI Data).
PE.L2-3.10.4 Physical Access Logs (CUI Data).
PE.L2-3.10.5 Manage Physical Access (CUI Data).

Level 3:
Under the final rule (32 CFR Part 170), Level 3 includes 24 selected NIST SP 800-172 requirements and seven that cannot be placed on a POA&M:

IR.L3-3.6.1e Security Operations Center.
IR.L3-3.6.2e Cyber Incident Response Team.
RA.L3-3.11.1e Threat-Informed Risk Assessment.
RA.L3-3.11.6e Supply Chain Risk Response.
RA.L3-3.11.7e Supply Chain Risk Plan.
RA.L3-3.11.4e Security Solution Rationale.
SI.L3-3.14.3e Specialized Asset Security.

How does a POA&M relate to a System Security Plan (SSP) for CMMC compliance?
The System Security Plan (SSP) explains how a company implements required security controls and is assessed and required at Level 2. For Level 1, there are no explicit documentation requirements for the self-assessment. A POA&M complements the SSP by detailing how the company will remediate security gaps and achieve Final CMMC Status.

Who is responsible for the CMMC POA&M?
The organization seeking CMMC compliance is usually responsible for drafting and maintaining the POA&M. Usually, the internal security staff drafts the POA&M, and external leaders approve. For Level 2 (Self), no C3PAO approval step applies; for Level 2 (C3PAO) and Level 3, assessors review POA&M items as part of the assessment process. 

How are POA&Ms closed out?
A company closes out a POA&M after it remediates all issues and an assessor verifies the POA&M in a closeout certification assessment. The DoD then grants full CMMC certification. Organizations have 180 days from the date of conditional status to close out the POA&M.

What are the consequences of failing to close out a POA&M on time?
If a company fails to close out a POA&M within 180 days, the DoD expires the organization’s conditional status. It must restart the process and undergo a full assessment to regain status.

How often should a POA&M be updated?
A company should update its POA&M whenever it identifies new security gaps or changes its remediation plan. Regularly updating your POA&M demonstrates your company's commitment to continuous monitoring.

How do we ensure our POA&M is effective?
Make your POA&M effective by following key best practices. Prioritize important issues, set realistic budgets, and gain leadership support. Treat the POA&M as a key cybersecurity document, not just a checklist for compliance.


Why are CMMC POA&Ms important for DoD contractors?
CMMC POA&Ms allow contractors to bid on DoD contracts while they fix security gaps. Without POA&Ms, contractors must meet every requirement immediately or restart the process. POA&Ms also help contractors track issues and stay committed to long-term compliance.

How does CISA relate to CMMC POA&Ms?
CISA is a federal agency that helps public and private groups prevent and respond to cyberattacks. CISA isn’t directly related to CMMC, but both use POA&Ms to track and improve cybersecurity.

How do SOC 2 and SSAE-16/SSAE-18 relate to POA&Ms?
SSAE-16 (superseded by SSAE-18) is the auditing standard behind SOC 1 and SOC 2 reports. While those frameworks don’t require a formal POA&M, many organizations use a similar plan-of-action format to track remediation of control deficiencies discovered during SOC readiness or audit reviews.

What’s next for CMMC—and how will POA&Ms factor into future updates?
POA&Ms are now a permanent part of CMMC 2.0, giving contractors limited time to close out cybersecurity gaps after an assessment. As the Department of Defense refines the framework, contractors can expect POA&Ms to remain central to demonstrating ongoing risk management and continuous improvement.

To understand how these changes fit into the broader federal security landscape, listen to former National Risk Management Center Director Bob Kolasky on Strike Graph’s Secure Talk podcast: The Future of CMMC: Surviving the New Federal Security Landscape.

Kolasky discusses how CMMC 2.0 aligns with government-wide cybersecurity initiatives, why POA&Ms are a practical bridge between compliance and risk management, and what defense contractors can do now to prepare for evolving requirements.