Structuring a Plan of Action & Milestones that closes controls on time
Author: Leonard Esere, Senior Cybersecurity Engineer, CISSP, CCSP
Date: April 2026
Organization: Aeolitech
Abstract
The Plan of Action and Milestones (POA&M) is one of the most consequential artifacts in a defense contractor's compliance program — and one of the most frequently mismanaged. Under CMMC and DFARS 252.204-7012, a POA&M is not a blanket permission to defer controls indefinitely. Under 32 CFR § 170.21, the CMMC Final Rule, only specific low-risk controls are eligible for POA&M status at the time of assessment, a minimum SPRS score threshold must be met, and all open items must be closed within 180 calendar days or the conditional certification expires. This whitepaper provides a practitioner's guide to POA&M construction, documentation standards, governance cadence, integration with the System Security Plan (SSP), and the common failure patterns that result in conditional status expiration or False Claims Act exposure.
Table of Contents
1. What a POA&M Is — and What It Is Not
2. Regulatory Basis: 32 CFR § 170.21 and CMMC Final Rule
3. Which Controls Are POA&M-Eligible?
4. The 180-Day Closeout Requirement
5. POA&M Documentation Standards and Template
6. Integration with the System Security Plan
7. Governance Cadence and Review Cycle
8. Common POA&M Failures and How to Prevent Them
9. Lessons from Continuous Monitoring Practice
10. POA&M in the FCA Enforcement Context
11. About the Author
12. References
13. Next Steps
1. What a POA&M Is — and What It Is Not
A Plan of Action and Milestones (POA&M) is a formal document that identifies security control deficiencies in an information system, describes the resources required to correct those deficiencies, establishes scheduled completion milestones, and tracks actual progress against those milestones. The term originates in OMB Circular A-130 and NIST SP 800-37, and has long been a standard component of the Risk Management Framework (RMF) for federal information systems.
In the CMMC context, the POA&M serves a more constrained and consequential function. It is not:
- A permission slip to operate with known security gaps indefinitely.
- A mechanism to defer high-risk controls past the assessment date.
- A substitute for the minimum baseline implementation required to achieve a CMMC status.
- Evidence of compliance — it is evidence of acknowledged non-compliance.
What it is: a time-bounded commitment to remediate documented deficiencies under strict regulatory conditions, enabling contractors to achieve Conditional CMMC Status rather than full status when select, eligible controls have not yet been fully implemented.
The stakes are real. A POA&M that is aspirational rather than achievable, underfunded, or structured around ineligible controls will result in either a failed assessment, loss of conditional status, or — if submitted to SPRS without the underlying evidence — FCA exposure.
2. Regulatory Basis: 32 CFR § 170.21 and CMMC Final Rule
The operative rule governing POA&M eligibility and closeout under CMMC is 32 CFR § 170.21, published as part of the CMMC Final Rule (32 CFR Part 170) in October 2024 and enforceable as of November 10, 2025.
The framework establishes different POA&M rules by CMMC level:
| CMMC Level | POA&M Permitted? | Conditions |
|---|---|---|
| Level 1 (Self-Assessment) | No | POA&M not permitted at any time |
| Level 2 (Self-Assessment) | Conditionally | Must meet ≥80% score threshold; no 3- or 5-point controls (with one exception); specific controls excluded |
| Level 2 (C3PAO Certification) | Conditionally | Same threshold and exclusion criteria as Level 2 self-assessment |
| Level 3 (DCMA DIBCAC) | Conditionally | Must meet ≥80% score threshold; specific Level 3 controls explicitly excluded |
The 80% threshold is calculated as: (assessment score) ÷ (total number of CMMC requirements at the applicable level) ≥ 0.8. For CMMC Level 2, with 110 requirements, this translates to a minimum self-assessment SPRS score that, when expressed as a percentage of implemented controls, reaches 80% or higher. In practical terms, organizations must implement approximately 88 of the 110 controls before open items can be placed on a POA&M.
3. Which Controls Are POA&M-Eligible?
This is the most consequential determination in POA&M planning, and the one most commonly misunderstood.
General Eligibility Rule
Under 32 CFR § 170.21(a)(ii), a control is eligible for POA&M only if it has a point value of 1 in the CMMC Scoring Methodology (32 CFR § 170.24). Controls weighted at 3 or 5 points are not eligible for POA&M and must be fully implemented before assessment.
The one documented exception: SC.L2-3.13.11 CUI Encryption (worth 3 points) may be placed on a POA&M if encryption is employed but is not yet FIPS-validated. This is a narrow exception specific to the transition from non-FIPS to FIPS 140-2/140-3 validated encryption modules.
Explicitly Excluded Controls (Level 2)
Even among 1-point controls, the following six are explicitly excluded from POA&M eligibility under 32 CFR § 170.21(a)(iii) — they must be fully implemented at assessment time:
| Control ID | Control Name | Why It Is Excluded |
|---|---|---|
| AC.L2-3.1.20 | External Connections (CUI Data) | Controls the boundary where CDI exits the system |
| AC.L2-3.1.22 | Control Public Information (CUI Data) | Prevents unauthorized public disclosure of CDI |
| CA.L2-3.12.4 | System Security Plan | The foundational assessment artifact; must exist |
| PE.L2-3.10.3 | Escort Visitors (CUI Data) | Basic physical security for CUI areas |
| PE.L2-3.10.4 | Physical Access Logs (CUI Data) | Accountability for physical access to CUI |
| PE.L2-3.10.5 | Manage Physical Access (CUI Data) | Control of physical entry to CUI spaces |
Explicitly Excluded Controls (Level 3)
For CMMC Level 3 assessments conducted by DCMA DIBCAC, the following controls cannot be on a POA&M:
| Control ID | Control Name |
|---|---|
| IR.L3-3.6.1e | Security Operations Center |
| IR.L3-3.6.2e | Cyber Incident Response Team |
| RA.L3-3.11.1e | Threat-Informed Risk Assessment |
| RA.L3-3.11.6e | Supply Chain Risk Response |
| RA.L3-3.11.7e | Supply Chain Risk Plan |
| RA.L3-3.11.4e | Security Solution Rationale |
| SI.L3-3.14.3e | Specialized Asset Security |
Practical Planning Implication
Before entering a C3PAO assessment, conduct a control-by-control pre-assessment to categorize each NOT MET finding as either: (a) must be remediated before assessment, or (b) eligible for POA&M. Controls in the first category must be closed before the assessment date — there is no pathway to conditional status for ineligible controls.
4. The 180-Day Closeout Requirement
Under 32 CFR § 170.21(b), all POA&M items must be closed within 180 calendar days of the Conditional CMMC Status Date — the date on which conditional certification was granted. If any POA&M item remains open after 180 days, the conditional certification expires automatically.
Closeout Assessment Process
A POA&M Closeout Assessment is required to confirm closure — it is not sufficient for the organization to simply declare controls implemented. The process differs by level:
| Level | Closeout Assessor | Nature of Assessment |
|---|---|---|
| Level 2 Self-Assessment | Organization (OSA) performs its own closeout | Same methodology as initial self-assessment |
| Level 2 C3PAO Certification | The certifying C3PAO performs closeout | C3PAO visit (may be on-site) to assess only NOT MET controls |
| Level 3 DCMA DIBCAC | DCMA DIBCAC performs closeout | Government-conducted assessment of NOT MET controls |
For Level 2 C3PAO certifications, the closeout assessment requires re-engaging the C3PAO, scheduling an assessment window, and potentially incurring an additional assessment fee. This timeline must be built into POA&M planning from day one.
The 180-Day Planning Horizon
When a conditional certification is granted, the 180-day clock starts immediately. To close on time, organizations must:
- Back-plan from the 180-day deadline, allowing 30–45 days for closeout assessment scheduling and execution.
- This means all remediation work must be substantially complete by day 135–150.
- Reserve days 150–180 for documentation, evidence collection, and assessment coordination.
A practical caution: Many organizations that achieve Conditional Level 2 status underestimate the C3PAO scheduling lead time for closeout assessments. C3PAO capacity is constrained, and lead times of 6–10 weeks are common. Request closeout assessment scheduling in week 12–14 of the 180-day window.
5. POA&M Documentation Standards and Template
A well-structured POA&M is not merely a spreadsheet of open items — it is a risk management document that demonstrates active, funded, and scheduled remediation. Each entry must contain sufficient detail to demonstrate good faith effort and enable third-party verification.
Required Columns and Field Definitions
| Column | Description | Notes |
|---|---|---|
| Control ID | CMMC / NIST 800-171 control identifier | e.g., AC.L2-3.1.20, IA.L2-3.5.3 |
| Control Name | Human-readable control title | e.g., Multi-Factor Authentication |
| Weakness / Gap Description | Specific description of what is not implemented | Be precise — "MFA not implemented for VPN remote access on System X" not "MFA gap" |
| Current Implementation Status | Percentage or qualitative status | e.g., 0%, 50% (policy exists, tooling not deployed) |
| Scheduled Completion Date | Target date for full implementation | Must be within 180-day window |
| Resources Required | Personnel, tools, budget, vendors | Include estimated cost and FTE effort |
| Responsible POC | Named individual accountable for remediation | Not a team or department — a named person |
| Milestones | Intermediate checkpoints with dates | Minimum 2–3 milestones for complex items |
| Milestone Status | Current completion status of each milestone | Updated at each governance review cycle |
| Actual Completion Date | Date control was confirmed fully implemented | Leave blank until verified closed |
| Closure Evidence | Reference to evidence artifacts | Policy doc version, screenshot, log excerpt, vendor attestation |
| Risk Rating | Risk to mission if control remains unimplemented | High/Medium/Low with brief justification |
Sample POA&M Entry
`
Control ID: IA.L2-3.5.3
Control Name: Multi-Factor Authentication (Privileged Users)
Weakness Description: MFA is not enforced for privileged user accounts accessing
the production CUI network segment via administrative console.
Local administrator accounts lack MFA capability on 14 endpoints.
Current Status: 25% — MFA enforced for cloud portal; not yet for on-prem admin.
Scheduled Completion: June 15, 2026 (Day 147 of conditional window)
Resources Required: Microsoft Entra ID P1 licenses ($6/user x 14 = $84/mo);
4 hours IT staff per system for configuration.
Responsible POC: J. Morales, IT Security Manager
Milestones:
- May 1: Procure Entra ID P1 licenses for 14 admin accounts
- May 20: Configure and test MFA for 7 of 14 systems (lab environment first)
- Jun 10: Complete rollout to all 14 systems; run access control audit
Milestone Status: Milestone 1 — IN PROGRESS (licenses ordered)
Actual Completion: [Blank — pending]
Closure Evidence: Entra ID conditional access policy export + audit log
showing MFA enforcement events for all privileged sessions.
Risk Rating: High — privileged access without MFA is the most common
initial access vector in CDI compromises.
`
6. Integration with the System Security Plan
The POA&M and SSP are companion documents — they describe the same system from complementary perspectives. The SSP describes what is implemented; the POA&M describes what is not yet implemented and the plan to remediate.
Every control listed in the SSP as NOT MET or PARTIALLY MET should have a corresponding POA&M entry (subject to eligibility rules). Every POA&M entry should reference the SSP section where the gap is documented. Controls closed on the POA&M must be updated in the SSP to reflect full implementation — otherwise the SPRS score will not reflect actual posture.
SSP-POA&M Integration Checklist:
- [ ] Each POA&M entry cross-references the relevant SSP section and control boundary.
- [ ] POA&M identifies the specific system(s) (using SSP system names/IDs) affected by each gap.
- [ ] Completed POA&M items trigger SSP updates within 5 business days of closure confirmation.
- [ ] SPRS score is recalculated and updated in SPRS after each POA&M closure batch.
- [ ] SSP version history reflects all updates driven by POA&M closures.
7. Governance Cadence and Review Cycle
A POA&M that is created once and reviewed at the 180-day mark is not a compliance program — it is a compliance accident waiting to happen. Effective POA&M governance requires a structured review cadence that is fast enough to catch schedule slippage before it becomes terminal.
Recommended Review Cadence
| Review Type | Frequency | Participants | Outputs |
|---|---|---|---|
| Operational Status Check | Weekly | POC + IT/Security lead | Milestone completion status updated; blockers escalated |
| Program Review | Bi-weekly | CISO/Security Manager + POC owners | Schedule risk assessment; budget variance reviewed |
| Leadership Briefing | Monthly | Executive sponsor + CISO | Go/no-go on conditional status trajectory; resource decisions |
| External Validation | At 90 days | C3PAO or internal auditor (if self-assessment) | Mid-point confidence check on evidence quality |
| Pre-Closeout Assessment | 30 days before deadline | CISO + all POC owners | Final evidence review; closeout assessment scheduled |
Schedule Risk Indicators
Flag the following as requiring immediate escalation:
- Any milestone more than 10 days late in the first 90 days of the 180-day window.
- Any POA&M item where the responsible POC has changed.
- Any POA&M item dependent on a vendor delivery with no confirmed delivery date.
- Budget constraints that have delayed procurement of required tools or services.
8. Common POA&M Failures and How to Prevent Them
Failure 1: Ineligible Controls on the POA&M
Scenario: Organization includes a 3-point or 5-point control on the POA&M, or includes one of the six explicitly excluded 1-point controls (e.g., CA.L2-3.12.4 — no SSP).
Consequence: C3PAO assessment cannot proceed; or conditional status cannot be granted; or organization incorrectly believes it has a valid conditional certification.
Prevention: Run a POA&M eligibility screening before assessment — map each NOT MET control to its point value and check against the exclusion list in 32 CFR § 170.21(a)(iii).
Failure 2: Aspirational Timelines Not Grounded in Resource Reality
Scenario: POA&M shows all items closing by day 60, but no budget has been approved for the necessary tools, and the responsible engineer is allocated at 100% to other projects.
Consequence: Items do not close; C3PAO finds milestones missed at closeout assessment; conditional status expires.
Prevention: Obtain written resource commitments (budget approval, FTE allocation) before setting milestone dates. If the resources are not available to close in 180 days, escalate the remediation priority to leadership — conditional certification is not a reward for having a plan; it requires executing the plan.
Failure 3: Weak or Unverifiable Closure Evidence
Scenario: POA&M entry is marked "closed" because a policy document was written, but there is no evidence of technical implementation or enforcement.
Consequence: C3PAO closeout assessment finds the control is not actually implemented; item is re-opened; 180-day window may expire before re-closure.
Prevention: Define closure evidence standards for each control type before remediation begins. For technical controls, evidence must include configuration exports, audit logs showing enforcement, or tool reports. A policy document alone closes a procedural requirement, not a technical one.
Failure 4: POA&M Disconnected from the SSP
Scenario: POA&M shows a control closed, but the SSP still lists it as NOT MET. SPRS score has not been updated.
Consequence: Contractor is reporting a lower (inaccurate) SPRS score than actual posture warrants; or conversely, SPRS is inflated because POA&M items were closed on paper but not verified, creating FCA exposure.
Prevention: Establish a mandatory SSP update and SPRS re-submission workflow tied to each POA&M closure batch.
Failure 5: No Escalation Path for Stalled Items
Scenario: A POA&M item stalls because a key vendor has not delivered, a technical dependency is unresolved, or the responsible employee has left the organization. No one notices until day 160.
Consequence: Item cannot be closed before the 180-day deadline; conditional status expires.
Prevention: Assign a backup POC for every POA&M item; build an explicit escalation trigger (e.g., any item more than 15 days behind schedule is escalated to the CISO and executive sponsor).
Failure 6: Treating the POA&M as a Low-Risk Compliance Formality
Scenario: Organization views the POA&M as administrative overhead and assigns it to junior staff without executive sponsorship.
Consequence: Inadequate resources, missed deadlines, expired conditional certification, potential loss of contract eligibility.
Prevention: The CISO or equivalent must own the POA&M program. Each open POA&M item represents a contractual compliance obligation with a hard deadline and a defined risk to certification status.
9. Lessons from Continuous Monitoring Practice
The most mature defense contractors — including large DoE national laboratory contractors and prime contractors operating under high-assurance CMMC environments — treat POA&M management not as a periodic compliance activity but as a continuous monitoring function integrated into their security operations.
Key practices from high-maturity organizations:
Automated evidence collection: Rather than manually gathering screenshots and logs at closeout time, mature programs use automated compliance platforms (e.g., GRC tools, SIEM exports, configuration management databases) to continuously collect and timestamp evidence of control implementation. By the time the closeout assessment occurs, evidence is already organized and dated.
Real-time POA&M dashboards: A live dashboard displaying open item count, days remaining to closure, milestone completion rates, and responsible POC status enables leadership to spot trajectory problems in days rather than weeks.
Continuous SPRS score tracking: Rather than updating SPRS only at the annual affirmation, mature programs track their running SPRS score in a spreadsheet or GRC tool, updating it as controls are implemented and verified. This provides an accurate picture of posture at any moment and avoids the risk of SPRS inflation.
Tabletop simulations of conditional status expiration: Some organizations conduct quarterly "what if the conditional window expired today" exercises to identify which controls would still be open and what the contract impact would be. This creates urgency without waiting for a real crisis.
Integration with the Continuous Monitoring Plan: The SSP should reference a Continuous Monitoring (ConMon) plan that describes how controls are monitored ongoing after implementation — not just how they were implemented. The ConMon plan provides the C3PAO (and the organization itself) with assurance that closed POA&M items stay closed.
10. POA&M in the FCA Enforcement Context
The intersection of POA&M management and False Claims Act enforcement is not theoretical. The Georgia Tech Research Corporation case (settled October 2025 for $875,000) included allegations of submitting false, inflated SPRS assessment scores — which is precisely what can occur when an organization marks POA&M items closed in SPRS without underlying evidence of actual implementation.
The FCA's "knowingly" standard encompasses reckless disregard for the truth. An organization that accepts a conditional CMMC certification and then fails to genuinely remediate POA&M items — while continuing to perform on DoD contracts and submitting invoices — risks FCA liability if the gap is later discovered.
The self-disclosure safe harbor under the DoD Voluntary Disclosure Program remains an option. Organizations that discover misrepresentations in their SPRS scores or conditional certification status are strongly advised to seek legal counsel about the voluntary disclosure pathway, which has historically resulted in reduced penalties compared to enforcement-initiated cases.
Bottom line: A POA&M is a legal commitment. Treat it accordingly.
About the Author
Leonard Esere is a Senior Cybersecurity Engineer and compliance strategist at Aeolitech with deep expertise in DFARS/CMMC, NIST SP 800-171, and DoD security frameworks. Holding CISSP and CCSP certifications, Leonard has constructed and managed POA&M programs for defense contractors across manufacturing, IT services, and research sectors. He has direct experience preparing organizations for C3PAO assessments and navigating the conditional certification and closeout process under 32 CFR Part 170.
References
| Source | URL |
|---|---|
| 32 CFR § 170.21 — POA&M Requirements | https://www.law.cornell.edu/cfr/text/32/170.21 |
| 32 CFR Part 170 — CMMC Program Rule | https://www.ecfr.gov/current/title-32/part-170 |
| NIST SP 800-171 Rev. 3 | https://csrc.nist.gov/publications/sp800 |
| NIST SP 800-37 — Risk Management Framework | https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final |
| CMMC Scoring Methodology (§ 170.24) | https://www.ecfr.gov/current/title-32/section-170.24 |
| DoD Assessment Methodology | https://www.dodcio.defense.gov/Portals/0/Documents/Library/NIST-SP-800-171-Assessment-Methodology.pdf |
| SPRS (Supplier Performance Risk System) | https://www.sprs.csd.disa.mil/ |
| CMMC Accreditation Body (CAICO) | https://cyberab.org/ |
| Exostar POA&M Guidance | https://www.exostar.com/blog/cmmc-compliance/cmmc-poams-guidelines-and-limitations/ |
| Mayer Brown FCA Cybersecurity Report (2026) | https://www.mayerbrown.com/en/insights/publications/2026/03/false-claims-act-enforcement-record-breaking-year-signals-continued-attention-to-cybersecurity |
Next Steps
A POA&M is only as strong as the underlying gap assessment that produced it. If your organization is uncertain which controls are POA&M-eligible, whether your SPRS score accurately reflects your posture, or whether your current POA&M will survive a C3PAO closeout assessment, an independent review is the most cost-effective risk mitigation available.
Schedule a CMMC Gap Assessment with Aeolitech →
Our assessment team will map your control implementation status against the 32 CFR § 170.21 eligibility rules, evaluate your POA&M structure and evidence quality, and deliver a prioritized remediation roadmap designed to close every item before your 180-day window expires.