CMMC POA&M: How to Build a Plan of Action and Milestones

The POA&M is the document most defense contractors build the week before their assessment, fill in with generic dates, and assume satisfies the requirement. Assessors have reviewed enough of them to recognize one instantly. A poorly built POA&M does not just fail to help. It raises questions about everything else in your documentation package.

A well-built POA&M, on the other hand, is one of the strongest signals you can send going into a CMMC Level 2 assessment. It tells assessors that your organization understands its gaps, has a credible plan to close them, and manages compliance as an ongoing process rather than a one-time event.

What a CMMC POA&M Is and Why It Matters

A Plan of Action and Milestones is a formal tracking document that records every gap between your current security posture and full implementation of the 110 practices in NIST SP 800-171. For each gap, the POA&M answers three questions: what is not yet implemented, when will it be fixed, and who is responsible for fixing it.

For CMMC Level 2, the POA&M serves two practical purposes. First, it is required documentation for conditional certification, which is the path available to contractors who have not closed all 110 practices before their assessment date. Second, it is reviewed by assessors as a signal of whether your organization manages compliance intentionally or reactively.

An organization claiming all 110 practices are fully implemented with no open items will receive more scrutiny than one with a well-documented POA&M. No open items sounds like a clean result. To an experienced assessor, it often signals that the self-assessment was not rigorous.

When You Are Required to Have a POA&M

If your CMMC assessment reveals any practices that are not fully implemented, you have two options: close those gaps before the assessment concludes, or document them in a POA&M and pursue conditional certification.

Under current CMMC rules, conditional certification requires all POA&M items to be closed and verified within 180 days of the conditional certification date. Items that cannot be addressed within that window, or practices the DoD designates as non-POA&M eligible due to their criticality, must be remediated before the assessment closes rather than deferred.

Our guide on how to prepare for a CMMC assessment covers the full pre-assessment timeline, including which gaps you need to close before the C3PAO arrives versus which can be deferred to a POA&M.

The Seven Fields Every POA&M Entry Needs

A POA&M that survives assessor scrutiny contains enough information that a third party can understand each gap, evaluate the remediation plan, and verify progress without needing to ask follow-up questions. That requires consistent structure across every entry.

The seven fields every POA&M entry should include:

1. Practice ID and title: the specific NIST 800-171 control number and name, such as 3.5.3 (Use multifactor authentication for local and network access to privileged accounts). No ambiguity about which requirement the entry addresses.
2. Description of the gap: a plain-language statement of what is not currently implemented or is only partially in place. "MFA is not enforced for remote access to CUI systems" is useful. "Access control gap" is not.
3. Planned completion date: a specific date that reflects the actual work required, not one chosen to look reasonable. If remediation requires procurement, configuration, and testing across six weeks, the date should reflect six weeks of real work.
4. Responsible owner: the name or role of the person accountable for closing the item. POA&M entries without assigned owners are treated as unmanaged by any assessor reviewing them.
5. Resources required: what budget, personnel, or vendor support is needed to close the gap. It does not need to be a formal cost estimate, but it needs to show the organization has thought through what it will actually take.
6. Interim milestones: for items that will take more than a few weeks, break the work into stages with target dates for each stage. This turns a completion date into a credible plan.
7. Current status: a running log of progress updates. An entry created six months ago with no status updates is a red flag to any assessor reviewing the document.

How to Identify What Belongs on Your POA&M

The starting point for building a POA&M is a gap assessment: a systematic comparison of your current security controls against each of the 110 NIST 800-171 practices. This is the same process that feeds your SPRS score.

For each practice, the outcome is one of three things: fully implemented (evidence exists that the control is working as required), partially implemented (some elements exist but the implementation is incomplete), or not implemented (no evidence of the control exists). Partially and not-implemented practices become POA&M entries.

The gap description for each entry should come directly from the assessment finding, written specifically enough that a future assessor can verify whether the gap was actually closed. Vague descriptions produce vague evidence of closure, which produces findings during re-assessment.

If you have not done a formal gap assessment yet, that step comes before the POA&M. Our free self-assessment tool gives you a starting point for identifying where your gaps are before engaging a C3PAO.

POA&M Mistakes That Fail Under Assessor Review

The most common POA&M failures follow a consistent pattern: the document was built quickly to satisfy a requirement, not to manage actual remediation work. The specific problems assessors look for:

• All items share the same completion date. A list of 25 open practices all due in 90 days signals that dates were assigned to meet a deadline rather than to reflect real remediation timelines. Different items have different complexity and different resource requirements. Dates should reflect that.
• No interim milestones for complex items. A six-month remediation plan with a single completion date and no checkpoints does not give an assessor any way to evaluate whether the work is actually progressing.
• Completion dates in the past with no update. An entry dated for closure three months ago with no status note means the POA&M has not been maintained. This undermines the credibility of the entire document.
• Boilerplate gap descriptions. Descriptions copied from NIST template language without customization to your specific environment tell assessors the POA&M was not built from an actual gap assessment of your organization.
• No evidence attached when items are closed. Marking a practice complete without attaching screenshots, configuration records, or other supporting artifacts is the same as not closing it. Closure requires proof.

For a broader look at the documentation practices that determine assessment outcomes, see our post on CMMC documentation: what assessors actually want to see.

Keeping Your POA&M Current Between Assessments

A POA&M is a living document. Building it once and setting it aside until your next assessment is one of the most common compliance mistakes in the defense supply chain. A stale POA&M is worse than no POA&M because it documents gaps that have not been addressed and dates that have been missed.

Effective POA&M maintenance requires:

• Reviewing and updating the status of all open items at least monthly
• Attaching evidence of closure when an item is completed, not after the fact
• When timelines slip, updating the completion date and noting why, rather than leaving the original date without comment
• Removing items from the active POA&M only after evidence of closure has been reviewed and accepted by whoever owns your compliance program

A well-maintained POA&M gives your organization a real-time picture of where your compliance program stands. It also makes the next assessment substantially more predictable because there are no surprises in your own documentation.

The Bottom Line

Building a credible POA&M is not complicated, but it requires the same discipline as any project plan. Every open item needs a clear description, a realistic timeline, an assigned owner, interim milestones for anything that takes more than a few weeks, and regular progress updates. The defense contractors who arrive at CMMC assessments with well-maintained POA&Ms spend less time defending their documentation and more time getting credit for the work they have done.

If you want help building a POA&M that will hold up under Level 2 assessment scrutiny, our CMMC compliance services include gap assessment, POA&M development, and ongoing compliance program support. To understand what level of certification your contracts require, see our breakdown of CMMC Level 1 vs Level 2. And if you are evaluating compliance partners, see what to look for in a CMMC consultant.