· Compliance  · 4 min read

POA&M Management Under CMMC: From Identification to Closure

How to run a defensible POA&M under CMMC.

How to run a defensible POA&M under CMMC.

The Plan of Action and Milestones (POA&M) functions as a tracking document for unimplemented controls and remediation efforts. Under self-assessed NIST 800-171, the POA&M operated with minimal scrutiny. Under CMMC Level 2, however, it becomes a binding contractual requirement with strict constraints: certain control types cannot appear on it, the total number of items is capped, and all open items must close within 180 days of conditional certification.

What CMMC Actually Allows on a POA&M

Per 32 CFR Part 170.21, conditional certification requires organizations to demonstrate at least 88 of 110 practices as MET (80 percent threshold), with remaining practices documented on an approved POA&M. However, not all NOT MET practices qualify for deferral:

  • 1-point practices under the DoD Assessment Methodology (foundational controls) cannot be deferred. They must be MET at assessment.
  • Selected 3-point and 5-point practices are also ineligible for POA&M status, as identified in the Level 2 Assessment Guide.
  • Practices marked MET cannot appear on POA&Ms.
  • NOT APPLICABLE practices, if justified, belong in the System Security Plan rather than the POA&M.

The 180-day closure window begins at conditional certification. If any POA&M item remains open beyond that deadline, conditional certification expires and CMMC status is lost. The current regulation provides no extension mechanism.

POA&M Item Lifecycle

1. Identification

A POA&M item is initiated when a control is assessed as NOT MET through gap assessment, internal audit, security incident, or assessor finding. The item record should include:

  • NIST 800-171 / CMMC practice identifier (e.g., AC.L2-3.1.18).
  • Description of the gap. Specifically what is unimplemented.
  • Affected scope. Systems, applications, user populations.
  • Risk rating. Likelihood and impact, even if qualitative.
  • Identification date.
  • Identification source. Assessment, audit, incident, or internal review.

2. Planning

For each item, document the closure strategy:

  • Closure criteria. Specific conditions that define closure (e.g., “Intune compliance baseline applied to all corporate Windows endpoints; zero non-compliant devices in MEM dashboard”).
  • Owner. A named individual, not a team.
  • Milestones. Interim checkpoints for items with technical dependencies.
  • Target closure date. Bounded by the 180-day window if part of conditional certification.
  • Resource estimate. Engineer hours, licensing costs, vendor effort.
  • Evidence-of-closure plan. The artifact demonstrating closure.

3. Execution

The named owner executes the closure plan with regular status updates. Items within the 180-day window should be tracked weekly; longer-horizon items require monthly updates. Slipped milestones must be explicitly re-baselined with documented rationale. Assessors examine POA&M history for evidence of active management rather than silent drift.

4. Closure

Closure requires both criteria satisfaction and supporting evidence. Evidence types vary by control:

  • Configuration controls: Dated production configuration exports showing the control in place.
  • Policy controls: Approved policy documents with version, owner, and approval signature.
  • Training controls: Training completion reports with user names and dates.
  • Operational controls: Process logs or runbooks with evidence of execution (audit logs, ticket history).

The item is marked closed, the SSP is updated to reflect implementation, and the closure record is preserved in historical records for assessor review.

5. Verification at Recertification

Closed POA&M items undergo verification during subsequent assessment cycles. If a previously closed control has degraded, it can be reopened as a new POA&M item, with the SSP amended accordingly and the regression examined during gap assessment.

Where Most POA&Ms Fail Under Assessor Review

  • Vague closure criteria: “Implement MFA” is insufficient. Assessors expect specificity: “Conditional Access policy CA-001 deployed, sign-in logs over 30-day sample show 100% MFA enforcement.”
  • Unowned items: A POA&M listing “IT” as owner provides no accountability. Individual assignment is mandatory.
  • Closure without evidence: Items marked closed without supporting artifacts are functionally incomplete and will be reopened.
  • Static target dates that have passed: Slippage is expected; unexplained delays without re-baselining indicate poor management.
  • Non-POA&M-eligible practices on the POA&M: Easy to overlook if the team doesn’t track the Level 2 Assessment Guide eligibility list. Ineligible items must be MET, not deferred.

Where the POA&M Lives

Spreadsheets remain the most common format and are acceptable if discipline is maintained. Purpose-built GRC tools (eMASS for federal agencies; Vanta, Drata, Hyperproof, and RegScale for Defense Industrial Base) offer advantages in audit trails, evidence repository integration, and version control. Tool selection matters less than execution discipline; a well-managed spreadsheet outperforms a neglected GRC platform.

The POA&M is referenced from the SSP and is typically the first deliverable an assessor requests. It also serves as the primary input to SPRS scoring, since calculations are driven by the NOT IMPLEMENTED practice list.

POA&M and SSP Interaction

The SSP describes current control implementation. The POA&M documents what remains unimplemented. Assessors validate consistency between the two documents: a control marked “implemented” in the SSP cannot simultaneously be “open” on the POA&M. POA&M closure must trigger SSP updates to maintain alignment.

What to Do Next

  • Audit the current POA&M format, ensuring items have named owners, dated milestones, and evidence references. Revise the template before adding new items.
  • Identify any POA&M items on the non-POA&M-eligible practice list. Prioritize these for immediate remediation rather than deferral.
  • Build a closure-evidence library with artifacts stored in a controlled, retrievable location alongside POA&M references.
  • Establish a monthly POA&M review cadence with named owners. Conditional certification 180-day windows cannot survive quarterly reviews.
Share:
Back to Blog

Related Posts

View All Posts »