CMMCDocs.comUnder CMMC 2.0, contractors can achieve conditional certification with a limited number of requirements on a Plan of Action and Milestones (POA&M). However, those items must be closed within 180 days. If they are not, you lose your conditional status. This makes your POA&M one of the most consequential documents in your compliance program.
What Can Go on a POA&M?
Not every requirement can be placed on a POA&M under CMMC. The final rule defines a subset of requirements that are eligible for POA&M treatment. High-value requirements — those weighted at 5 points in the SPRS methodology — generally cannot be POA&M'd. Your total POA&M score cannot cause your SPRS score to drop below a threshold defined in the rule.
Even for eligible requirements, the POA&M must demonstrate that you have a credible plan to close the gap within 180 days. Vague statements like "implement MFA by Q3" are insufficient. The plan must be specific, resourced, and measurable.
Anatomy of a Good POA&M Item
Each POA&M item should include these elements:
Requirement ID and description: Reference the specific NIST 800-171 requirement (e.g., SC.L2-3.13.11 — Encrypt CUI in transit).
Current status: Describe what you have implemented so far and where the gap exists. Be specific — "partially implemented" is not enough.
Remediation plan: Detail the specific steps you will take to close the gap. Include technical changes, procurement requirements, and process updates.
Resources required: Identify the budget, personnel, and tools needed. A plan without resources is not a plan.
Milestones with dates: Break the remediation into checkpoints. For a 180-day window, monthly milestones are appropriate. Each milestone should be a verifiable deliverable.
Responsible party: Name the specific person (not a department) accountable for each milestone.
The 180-Day Clock
The 180-day clock starts when you receive your conditional CMMC certification. Not when you start your POA&M. Not when you schedule your closeout assessment. When you receive the conditional status. Plan backward from that date.
At the end of 180 days, a C3PAO will verify that each POA&M item has been closed. This is not a paper review — the assessor will look for implemented controls, not updated documents. If items remain open, your conditional certification is revoked.
Best Practices
Do not use the POA&M as a safety net for controls you could implement before the assessment. Close everything you can first. Reserve the POA&M for items that genuinely require more time — complex technical implementations, procurement dependencies, or vendor timelines you cannot control.
Review your POA&M weekly during the 180-day window. Treat it like a project plan, not an audit artifact. Assign a single owner who is accountable for overall POA&M closure and empowered to escalate blockers to leadership.