POA&M Closeout Timelines Under CMMC: The 180-Day Window

CMMC ties POA&M use to a 180-day remediation window that starts on the Conditional CMMC Status Date and ends with a POA&M closeout assessment recorded in CMMC eMASS. Miss that window and Conditional Status expires. Contractors that rely on POA&Ms must plan to remediate and retest on a tight clock.

Regulatory basis for the 180-day POA&M window

32 CFR 170.21 sets the ground rules for Plans of Action and Milestones under CMMC. The rule permits POA&Ms at Level 2 and Level 3 under limits and prohibits POA&Ms at Level 1. The same section states that you must remediate every requirement scored NOT MET and placed on a POA&M within 180 days of the Conditional CMMC Status Date. The program treats POA&M use as time-bound corrective action, not as a standing exception.

The Federal Register preamble explains the rationale and frames the constraints at the program level. That preamble also separates the CMMC program rule in 32 CFR from the forthcoming DFARS 252.204-7021 clause that will put CMMC into contracts. DoD runs CMMC program mechanics through 32 CFR, then contracting officers will bring those features into solicitations through DFARS rulemaking.

Start trigger and scope of the 180-day clock

The 180-day timer does not key off fieldwork dates. 32 CFR 170.21 ties the countdown to the Conditional CMMC Status Date that CMMC eMASS records after the initial assessment. That date marks day zero. From that point, your team remediates every eligible NOT MET requirement that your assessor placed on the POA&M and prepares for retest.

The DoD CIO CMMC program site describes the required POA&M closeout assessment and states that Conditional Status expires if the closeout does not land within the window. Expiration affects contract eligibility for efforts that require that CMMC level. The program office positioned the window to minimize the period where known deficiencies sit unresolved on systems that handle FCI or CUI.

POA&M closeout assessment requirements

You do not run a full reassessment to close a POA&M. The Cyber AB CMMC Assessment Process v2.0 directs assessors to scope the closeout to the requirements scored NOT MET in the initial assessment. The C3PAO team reviews evidence for those items, tests the remediated implementations, updates the score, and submits the closeout package to CMMC eMASS after quality assurance.

Assessment mechanics differ by assessment type and cycle. For a self-assessment at Level 2, your internal team performs the closeout and enters the result in CMMC eMASS. For a triennial certification at Level 2 or a Level 3 engagement, your C3PAO or Government Assessment Team runs the closeout scope and submits results. In every case, you must line up the work so that eMASS records the closeout inside the 180-day window.

Two practical checkpoints govern success.

• You align POA&M items, the System Security Plan (SSP), and objective evidence so the assessor can retest without rework.
• You hold calendar time for assessor scheduling, evidence review, and any QA steps before eMASS submission.

If you finish remediation on day 175 and start paperwork on day 176, you risk expiration. Build schedule margin for assessor availability and eMASS workflows.

POA&M eligibility limits by level and requirement

The rule draws hard lines. Level 1 does not permit POA&Ms. Levels 2 and 3 permit POA&Ms for a subset of requirements that meet rule thresholds. You must also meet a minimum score on the initial assessment to receive Conditional Status. DoD structured these limits to keep critical safeguards in place before Conditional Status is granted.

Program materials and industry summaries flag exclusions that surprise teams. Several NIST SP 800-171 Level 2 requirements with one-point values still sit outside POA&M eligibility due to risk. Common examples include:

• AC.L2-3.1.20 Verify and control or limit connections to external systems, and AC.L2-3.1.22 Control CUI posted or processed on publicly accessible systems.
• PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5 for visitor escort and monitoring, physical access logging, and physical access device control.

Treat the eligibility list in 32 CFR 170.21 as the source of truth. If a requirement does not meet the rule’s criteria, you implement it before your assessor can award Conditional Status. You also align the SSP and scoring with that reality. Our overview of NIST 800-171 and CMMC Level 2 mapping covers the practice set and supports that alignment work.

Practical planning to meet CMMC POA&M closeout deadlines

You control three levers during the 180-day window. Scope, sequence, and evidence.

• Scope the POA&M to the minimal set that the rule permits, and drive on high-risk practices first even if eligible.
• Sequence remediation so that dependencies finish early in the window, then run independent items in parallel under change control.

Evidence makes or breaks the closeout.

• Capture configurations, screenshots, and change records as you implement, then map each artifact to assessment objectives in the Level 2 Guide.
• Stage artifacts in a repository the assessor can review without delay, then confirm traceability from SSP narratives to ticket numbers and to test procedures.

A lean schedule template helps keep the team honest. Day 0, eMASS grants Conditional Status. Days 1 to 30, you finalize designs for each POA&M item and lock success criteria. Days 31 to 120, you implement technical and procedural changes and update the SSP and procedures as you land each change. Days 121 to 150, you run internal validation against assessment objectives and fix gaps. Days 151 to 170, you deliver evidence to the assessor and schedule test sessions. Days 171 to 180, you support retest and quality checks and confirm that eMASS shows the closeout.

Coordinate with your C3PAO as soon as you receive the preliminary results from the initial assessment. Many C3PAOs book closeout resources weeks in advance. Ask for the closeout scope in writing, including the list of requirements, the evidence set, and the test approach. Then baseline your internal workplan and publish dates to leadership so procurement and operations know where changes may land.

SPRS scoring ties into these decisions. The score from the initial assessment must meet the program’s minimum to unlock Conditional Status. Remediation during the window then raises the score to the target. Our briefing on SPRS scoring for NIST 800-171 walks through how NOT MET requirements and POA&M items affect the math and the reporting sequence.

Keep the SSP current throughout the window. Assessors test against what you say you do. If the SSP lags behind implementation, you create avoidable friction during closeout. Our guidance on the System Security Plan covers structure and maintenance practices that support assessment and closeout.

Microsoft context for remediation planning

Microsoft’s public sector team published program summaries that reinforce the need for lifecycle management under the final rule. Those summaries match the 180-day remediation window and the need to record closeout in CMMC eMASS. For platform planning, Microsoft’s Technical Reference Guide for CMMC 2.0 and the Product Placemat for CMMC 2.0 provide service-to-practice mappings. Treat both as references for feature alignment. They do not serve as certification, authorization, or a guarantee of outcomes.

Organizations that handle CUI should also confirm the right Microsoft cloud boundary. Azure Government and Microsoft 365 GCC High support Defense Industrial Base workloads that include CUI. The right choice depends on your data, your enclave design, and contract flowdown. Platform selection and enclave boundary decisions influence which POA&M items you might face, the order you can remediate them, and the evidence you will produce.

Common pitfalls that burn the 180-day clock

Teams that treat the window as post-assessment cleanup lose time. Treat it as a second assessment phase with known scope, known objectives, and a set end date. Two patterns cause expiration risks:

• Change control that trails implementation, which creates gaps between real configurations and documented procedures that the assessor must reconcile.
• Late coordination with the assessor, which compresses test windows and triggers QA delays that push eMASS submission past day 180.

You can avoid both patterns with one practice. Lock a single owner for each POA&M item who owns remediation, evidence, and assessor engagement for that item. That owner brings issues to a daily standup and clears blockers within 24 hours. That cadence keeps items moving and keeps the closeout package complete.

Contracting impact and program separation

32 CFR Part 170 defines CMMC program mechanics, including POA&M limits and the 180-day window. DFARS 252.204-7021 will carry those mechanics into solicitations and awards. Treat this separation as a planning constraint. You need to meet the program rule to gain and keep Conditional Status, and you need to meet contract language that points to that status. DoD will continue to publish program updates through the DoD CIO site and eCFR. Contracting officers will apply those updates when DFARS rulemaking reaches completion.

Action list for teams facing a POA&M

Two moves change outcomes when the timer starts.

• Publish a day-by-day plan through day 180 with owners and artifacts, then hold daily execution reviews until eMASS records closeout.
• Pre-stage assessor access, test accounts, and artifact repositories, then validate that every item traces to an SSP update and a test procedure.

If your assessment pipeline spans Microsoft cloud services, align remediation plans with your tenant architecture and licensing. Validate that control implementations for items like SC.L2-3.13.11 use configurations and cryptography that meet the practice intent under NIST SP 800-171 and that you can demonstrate those settings on demand.

POA&Ms serve a narrow purpose in CMMC. Use them to clear a defined set of gaps under a fixed clock, and close them with evidence that an assessor can verify.

Related reading

• POA&M management under CMMC
• System Security Plan for NIST SP 800-171
• SPRS scoring for NIST SP 800-171

Sources

Other industry publications were also consulted at the time of this post.