CMMC POA&M Guide: What You Can and Can't Fix After Your Assessment

CMMC POA&M Guide: What You Can and Can't Fix After Your Assessment

A Plan of Action and Milestones (POA&M) is a document that identifies security weaknesses and your plan to remediate them. Under CMMC, POA&Ms have strict rules about what they can and cannot cover.

Understanding these rules before your assessment is critical. A miscalculation about what's POA&M-eligible can mean the difference between conditional certification and failure.

What Is a POA&M?

A POA&M documents:

• The weakness: Which practice is not fully implemented
• The planned fix: Specific actions to achieve full implementation
• The timeline: Target completion date (must be within 180 days of assessment)
• The resources: Budget, personnel, and technology needed
• The milestones: Intermediate checkpoints to track progress

POA&Ms are not a free pass. They're a conditional acceptance with a hard deadline.

CMMC POA&M Rules

What's Allowed

Under the CMMC final rule (48 CFR), you may use POA&Ms for:

• Practices that are partially implemented but not yet complete
• Technical deficiencies that require technology procurement with lead time
• Process gaps where the procedure exists but hasn't been fully tested
• Documentation gaps where the control is operating but not formally documented

What's NOT Allowed

Certain practices cannot be placed on a POA&M. If these are NOT MET, you fail the assessment:

• Practices weighted as highest priority in the assessment methodology
• A total of more than a specified threshold of practices on POA&M
• Any practice where the organization has no plan or capability to remediate

The specific list of non-POA&M-eligible practices is defined in the CMMC assessment guide. Generally, foundational controls like encryption of CUI, MFA for privileged access, and basic access control cannot be deferred.

The 180-Day Clock

All POA&M items must be closed within 180 days of the assessment. If they're not:

• Your conditional certification status may be revoked
• You may need to undergo a reassessment
• Contract eligibility may be affected

This is not a soft deadline. The Cyber AB tracks POA&M closure and C3PAOs verify remediation.

Strategic Use of POA&Ms

Don't Plan to Use Them

The worst strategy is going into an assessment planning to use POA&Ms as a crutch. If your plan is "we'll POA&M anything we can't finish," you're:

• Betting that the unfinished practices are POA&M-eligible (they might not be)
• Adding 180 days of pressure to close items while maintaining all other controls
• Risking reassessment costs if you can't close in time

Do Prepare for Them

The best strategy is to aim for 100% MET and have POA&Ms ready as a contingency:

• Identify practices that are in-progress but might not finish before assessment day
• Document the remediation plan, timeline, and resources before the assessment
• Show the assessor that the gap is known, understood, and actively being addressed
• Demonstrate partial implementation — "we have the technology deployed but haven't completed testing" is better than "we haven't started"

POA&M Documentation Quality

A Plan of Action and Milestones (POA&M) in CMMC is a tightly controlled, time-bound mechanism to document and remediate limited, lower-priority security weaknesses.

Key Points:

• Purpose: Capture specific weaknesses, the planned fix, required resources, milestones, and a hard remediation deadline (within 180 days). It represents a conditional acceptance of risk, not a long-term exception.
• What Can Go on a POA&M:
• Partially implemented practices
• Technical gaps that require new technology or upgrades
• Process gaps where procedures exist but aren’t fully tested or mature
• Documentation gaps where controls are operating but not formally documented
• What Cannot Go on a POA&M:
• Highest-priority (heavily weighted) practices
• More than the allowed threshold of practices (per CMMC rule/contract)
• Any practice where there is no realistic, resourced plan or capability to fix it
• 180-Day Requirement:
• Every POA&M item must be fully remediated and verified within 180 days.
• Failure to close items on time can result in loss of conditional certification.
• Strategy:
• Don’t plan to rely on POA&Ms as a way to pass with major gaps.
• Do prepare POA&Ms as a contingency: define concrete actions, realistic timelines, assigned owners, and pre-approved budget so they can be activated quickly if needed.
• Common Mistakes to Avoid:

1. Treating all gaps as POA&M-eligible
2. Trying to write POA&Ms during the assessment instead of beforehand
3. Defaulting everything to the full 180 days instead of realistic schedules
4. Failing to assign accountable owners for each POA&M item
5. Neglecting how closure will be verified and evidenced

Practicing your POA&M approach (for example, with tools like the Cubelet CMMC Simulator) helps ensure you use POA&Ms sparingly, correctly, and successfully under CMMC.