The Plan of Action and Milestones is the most misunderstood document in CMMC compliance. Some contractors treat it as a parking lot for problems they do not want to fix. Others avoid it entirely, thinking any open item means automatic failure. The reality is more nuanced. A well-constructed POA&M demonstrates organizational maturity and honest self-assessment. A poorly constructed one tells the C3PAO that you do not understand your own security gaps. Here is how to build one that works.
POA&M Under CMMC: The Rules
CMMC treats POA&Ms differently than DFARS 7012 did. Under the old regime, you could carry POA&M items indefinitely with a corresponding SPRS score deduction. Under CMMC, the rules are strict:
CMMC POA&M Rules
180-Day Closeout Window
All POA&M items must be remediated within 180 days of receiving a Conditional certification. No extensions. No exceptions.
Not All Practices Are POA&M-Eligible
Certain foundational practices cannot be placed on a POA&M. If these are NOT MET, the assessment results in a failure, not a Conditional.
Closeout Assessment Required
After remediating POA&M items, the C3PAO must conduct a closeout assessment to verify remediation before converting Conditional to Final certification.
Quantity Matters
While there is no hard cap on the number of POA&M items, an excessive number signals systemic implementation failure rather than isolated gaps.
Practices That Cannot Be on a POA&M
The CMMC framework identifies certain practices as so fundamental that a NOT MET finding results in automatic assessment failure. These practices cannot be deferred to a POA&M. You must have them fully implemented before the assessment:
Non-POA&M-Eligible Practice Areas
FIPS-Validated Cryptography
Encryption must use FIPS 140-validated cryptographic modules. You cannot defer this to a POA&M. If your encryption is not FIPS-validated, you fail.
Multi-Factor Authentication
MFA for privileged and network access is a foundational requirement. Partial MFA deployment or MFA that does not cover all required access points is a failure.
Access Control Fundamentals
Basic access control mechanisms must be in place. If you cannot demonstrate that access to CUI is limited to authorized users, the assessment fails.
Audit Logging
Core audit logging must be operational. If you cannot demonstrate that security-relevant events are being captured and retained, this is a fundamental gap.
The complete list of non-POA&M-eligible practices is defined in the CMMC Assessment Guide. Review it carefully during your preparation.
Severity Classification
Every POA&M item should be classified by severity. This classification drives remediation priority and signals to the assessor that you understand the relative risk of each gap. Here is the classification framework I recommend:
POA&M Severity Classification
| Severity | Definition | Target Remediation | Assessor Tolerance |
|---|---|---|---|
| Critical | Direct CUI exposure risk. Exploitable vulnerability in a CUI-processing system. | 30 days | Very low |
| High | Significant control gap that weakens CUI protection. Compensating controls may partially mitigate. | 60 days | Low |
| Medium | Control partially implemented. Gap is documented and compensating controls reduce risk. | 120 days | Moderate |
| Low | Minor documentation or process gap. Technical control is in place but evidence or procedure needs improvement. | 180 days | Higher |
Building Credible Remediation Milestones
The milestones in your POA&M are where assessors separate credible plans from wishful thinking. A milestone that says "implement MFA by Q3" is not credible. A milestone that says "deploy Azure AD Conditional Access Policy requiring Microsoft Authenticator for all CUI enclave users by June 15, 2026, with IT Security team lead responsible" is credible. Here is the formula:
The SMART Milestone Formula for POA&Ms
- Specific: Name the exact action, tool, or configuration change.
- Measurable: Define what "done" looks like in verifiable terms.
- Assigned: Name the person or role responsible.
- Realistic: The timeline must be achievable given your resources.
- Time-bound: Specific date, not a quarter or "soon."
POA&M Milestone Examples
Weak Milestone (Will Be Flagged)
Too vague. What encryption? Which systems? What does "Q3" mean specifically? Who in IT is responsible?
Strong Milestone (Credible)
Specific tool, specific scope, specific verification method, specific date, specific owner.
How Many Open Items Will a C3PAO Accept?
There is no official maximum number of POA&M items that triggers automatic failure. However, the practical reality is that the number and nature of open items significantly influence the assessment outcome. Here is the general guidance based on what I have observed:
POA&M Item Thresholds (Practical Guidance)
Acceptable Range
A small number of well-documented, low-to-medium severity items with credible remediation plans. This is normal and expected. Most organizations have some gaps.
Elevated Scrutiny
The assessor will examine each item carefully. If most are low severity with strong remediation plans, a Conditional certification is likely. If several are high severity, the assessment may fail.
High Risk of Failure
This many open items suggests systemic implementation gaps rather than isolated issues. The assessor may determine that the organization is not ready for certification.
Almost Certain Failure
More than 25 NOT MET practices (out of 110) indicates the organization is not assessment-ready. The recommendation is to withdraw, remediate, and reassess.
Time-Bound vs. Open-Ended Items
Every POA&M item under CMMC must be time-bound. Open-ended items are not acceptable. But "time-bound" does not just mean slapping a date on it. The timeline must be credible given the complexity of the remediation and the resources available.
Configuration Changes: 30-60 Days
If the remediation is a configuration change (enable a setting, deploy a policy, update a rule), 30-60 days is credible. Longer timelines for simple configuration changes raise questions about organizational capability.
Tool Deployment: 60-120 Days
If the remediation requires deploying a new tool (SIEM, EDR, DLP), 60-120 days is credible. This accounts for procurement, installation, configuration, and testing.
Process Changes: 60-90 Days
If the remediation requires establishing a new process (access reviews, audit log reviews, incident response procedures), 60-90 days is credible. This accounts for process design, documentation, training, and initial execution.
Architecture Changes: 120-180 Days
If the remediation requires architectural changes (network segmentation, enclave redesign, cloud migration), 120-180 days may be credible. These are the items that push against the 180-day limit and require careful planning.
POA&M Maintenance Best Practices
A POA&M is not a static document. It should be reviewed and updated regularly, especially during the 180-day Conditional period:
POA&M Review Cadence
Weekly
Review progress on active remediation items. Update status and completion percentages. Identify blockers.
Monthly
Formal POA&M review with leadership. Assess whether timelines are on track. Reallocate resources if needed. Document review in meeting minutes.
At Closeout
Verify all items are remediated with evidence. Prepare evidence package for C3PAO closeout assessment. Update SSP to reflect remediated state.
The Bottom Line
The POA&M is not a sign of weakness. It is a sign of honest self-assessment and organizational maturity. The contractors who fail their CMMC assessments are not the ones with a few well-documented POA&M items. They are the ones who either have no POA&M (pretending everything is perfect) or have a POA&M full of vague, undated, unassigned items that demonstrate no real plan to remediate. Build your POA&M with the same rigor you apply to your technical controls, and it becomes an asset rather than a liability.
Need Help Building a Credible POA&M?
AeoliTech's gap assessments identify exactly which practices need POA&M treatment and help you build remediation plans that assessors find credible.
Schedule a CMMC Readiness CallLeonard Esere
Founder & CEO, AeoliTech
Leonard has built and reviewed hundreds of POA&Ms across federal and defense environments. His experience at LANL and MITRE informs a practical, assessor-aware approach to remediation planning.