CMMCDocs.comPOA&M
Also known as: Plan of Action and Milestones · POAM
Plan of Action and Milestones — a document tracking security requirements that have not yet been fully implemented and the plan to close them. Subject to a 180-day closure rule under CMMC 2.0.
A Plan of Action and Milestones (POA&M) is a tracking document for security requirements that have not yet been fully implemented in an organization's environment. Each POA&M item identifies the specific requirement, the gap, the planned remediation steps, the responsible owner, the target closure date, and any interim safeguards in place.
Under CMMC 2.0, only a limited subset of NIST SP 800-171 requirements (those scored at 1 point in the DoD Assessment Methodology) are eligible to be on a POA&M at the time of assessment. Higher-value requirements must be fully met. A contractor with eligible POA&M items at assessment time can receive conditional certification, but must close all open items within 180 days or lose the certification.
Managing POA&M items against the 180-day clock — including documenting closure evidence and updating the SSP — is one of the core operational disciplines of a CMMC Level 2 program.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account