A Plan of Action and Milestones (POA&M, pronounced "po-am") is not a bureaucratic placeholder, it's the document that determines whether a C3PAO can issue a conditional CMMC certification or has to fail you outright. It's the difference between "conditionally certified" and "better luck next assessment window." Here's exactly what every row must contain, how your POA&M connects to your SPRS score, and the mistakes that get organizations failed.
CA.L2-3.12.2 CA.L2-3.12.4 NIST SP 800-171 Rev 2 DFARS 252.204-7012
A Plan of Action and Milestones (POA&M) is a structured document that identifies security gaps in your environment, describes the specific actions your organization will take to close those gaps, assigns responsibility, and sets target completion dates. It is the formal record of your remediation roadmap.
The POA&M requirement is embedded directly in NIST SP 800-171 Rev 2. Practice 3.12.2, which maps to CMMC practice CA.L2-3.12.2, requires organizations to "develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems." This is not optional guidance. It's a security practice with a point value, and failing to maintain a current POA&M is itself a finding.
The contractual basis: DFARS 252.204-7012 requires implementation of NIST 800-171. NIST 800-171 requires a POA&M. Therefore, every defense contractor covered by DFARS 7012 is contractually obligated to maintain a POA&M. A C3PAO will request it as part of the pre-assessment package, typically alongside your SSP and network diagram.
The POA&M serves a second critical function: it's how a C3PAO determines whether your organization qualifies for a conditional CMMC certification. Under 32 CFR Part 170, a C3PAO can issue a conditional Level 2 certification when open findings meet specific criteria, no more than 20% of practices unimplemented (roughly 22 practices), no critical practices (MFA, encryption) on the POA&M, and all items with credible plans to close within 180 days. Without a POA&M, conditional certification isn't possible, because there's no documented plan to assess.
A POA&M isn't a free-form document. Each row must capture specific data that enables an assessor (and your own management) to understand the gap, the plan, and the timeline. Here are the eight fields every row must contain:
Your SPRS score is calculated starting from a perfect 110 and subtracting points for every NIST 800-171 practice that is not fully implemented. Every item on your POA&M, because it represents a practice that is not yet implemented, reduces your SPRS score by that practice's assigned point value.
The DoD Assessment Methodology assigns different weights to different practices based on their security criticality. Some practices carry a 1-point deduction; others carry 5 points. An organization with 20 open POA&M items spread across high-weight practices could have a score well below zero.
Negative scores are real: A contractor who has implemented zero of the 110 NIST 800-171 practices has a theoretical SPRS score of -203. DoD uses SPRS scores in contract award decisions. Contracting officers can see your score, and a score below a program-specific threshold can disqualify you from bid consideration.
The critical implication: your POA&M and your SPRS score must tell the same story. If your SPRS submission shows a score of 85 but your POA&M lists 10 open practices worth 30+ combined points, that's a false self-attestation, with False Claims Act exposure attached. A C3PAO will spot the discrepancy before you finish explaining it.
Prioritize your remediation roadmap around the practices that carry the highest point deductions. Closing a 5-point practice has 5x the SPRS impact of closing a 1-point practice. Here are five of the highest-weighted practices you should close first:
| Practice ID | Domain | Description | Point Value |
|---|---|---|---|
| 3.1.1 (AC) | Access Control | Limit system access to authorized users and processes | 5 pts |
| 3.4.1 (CM) | Config Management | Establish and maintain baseline configurations | 5 pts |
| 3.4.2 (CM) | Config Management | Establish settings and restrictions for constituent components | 5 pts |
| 3.5.3 (IA) | Identification & Auth | Use multi-factor authentication for local and network access | 5 pts |
| 3.13.8 (SC) | System & Comms | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI in transit | 5 pts |
Note that practices 3.5.3 (MFA) and 3.13.8 (encryption in transit) are also practices that cannot be on a POA&M for conditional CMMC certification, they must be fully implemented before a C3PAO assessment. This makes them doubly urgent to close.
Assessors who have reviewed dozens of POA&Ms across the DIB know within minutes whether a POA&M was built to satisfy a checkbox or built to actually guide remediation. Here's what distinguishes a POA&M that passes from one that gets you failed:
The System Security Plan (SSP) and the POA&M are companion documents, not alternatives. Your SSP documents the current implementation status of all 110 practices. For each practice, your SSP should indicate one of three statuses: Implemented, Planned, or Alternative Implementation.
Every practice marked Planned in your SSP must have a corresponding row in your POA&M. If your SSP says a practice is planned but your POA&M has no entry for it, that's an inconsistency a C3PAO will flag immediately. The two documents must tell the same story about your security posture.
Conversely, if your POA&M has an entry for a practice that your SSP marks as Implemented, that's also a red flag, it suggests either your SSP is wrong or your POA&M is a leftover that wasn't cleaned up when the practice was closed. Assessors will test both.
Practical tip: Version-control both documents together. When you close a POA&M item, update the SSP status on the same day. Date-stamp every change. An auditor or C3PAO may ask for version history, showing that documents were updated contemporaneously with remediation activities demonstrates that your process is real, not retroactive.
The most common POA&M failure is writing remediation actions that describe outcomes instead of steps. "Implement MFA" doesn't tell an assessor how you'll do it, who will do it, what systems are in scope, or how you'll verify it's working. Write your remediation actions as if you're handing them to a technician with no prior knowledge of your environment, because that's essentially what a C3PAO assessor is.
A POA&M with a final completion date but no interim milestones is a plan without checkpoints. Assessors conducting follow-up reviews need to verify progress, and without milestones, there's nothing to verify. Break every remediation action into at least two or three milestones: planning, implementation, testing, and verification are natural checkpoints for most technical controls.
A POA&M dated six months ago with no updates is evidence of a compliance theater exercise. It doesn't prove a working remediation process, it proves you filled one out once. The document should show the date each milestone was completed, who verified it, and any notes on what changed from the original plan. If your team completed a milestone on March 15, that date should be in the document. If the milestone slipped, the new date and reason should be documented.
Some organizations, out of excessive caution, put every practice on the POA&M even if they're partially implemented. This inflates the apparent deficiency count and may push you above the 20% threshold for conditional certification. Only practices that are genuinely not yet implemented belong on the POA&M. Partially-implemented practices need accurate SSP implementation statements describing what's done and what remains.
The SPRS score you submitted must match the implementation status implied by your POA&M. If your score implies you've implemented 95 of 110 practices, but your POA&M lists 25 open items, you have a math problem, and potentially a False Claims Act problem. Assessors are very good at math. Reconcile these numbers before any assessment, not during it.
Our CMMC POA&M Template includes all 8 required fields, practice-level SPRS score tracking, milestone columns, and implementation guidance drawn from hands-on C3PAO assessment experience. Paired with our SSP template, it gives you a complete, synchronized documentation set that assessors recognize as professional work.
Yes. NIST SP 800-171 practice CA.L2-3.12.2 (CMMC numbering) requires organizations to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. A C3PAO will request your POA&M as part of the assessment package. Having no POA&M signals to assessors that you either haven't identified your gaps or aren't tracking remediation, both are red flags.
There is no defined limit on the number of POA&M items. However, CMMC Level 2 assessments allow a conditional CMMC certification if you have no more than 20% of practices (up to 22 practices) with findings, and all findings are addressed within 180 days. Practices related to multi-factor authentication (MFA) and encryption cannot be on a POA&M, they must be implemented before the assessment.
Yes, under the conditional certification path. A C3PAO can issue a conditional CMMC Level 2 certification if open POA&M items meet specific criteria: no more than 20% of practices are on the POA&M, no critical practices (MFA, encryption) are on the POA&M, and all items have credible remediation plans with closure dates within 180 days of assessment.
Every practice on your POA&M (meaning it is not yet implemented) counts against your SPRS score. The DoD Assessment Methodology assigns point values to each NIST 800-171 practice, a perfect score is 110, and each unimplemented practice reduces the score by its assigned weight. Your SPRS score should reflect your actual implementation status, including all open POA&M items as deductions.
At minimum, your POA&M should be reviewed and updated whenever a milestone is completed, a remediation action is finished, or a new gap is identified. Best practice is a monthly review cycle with quarterly reporting to leadership. Assessors will look at the last-updated date, a POA&M that hasn't been touched in 12 months signals that it's a compliance decoration, not a working document.
The System Security Plan (SSP) describes how your organization implements every NIST 800-171 practice, both those that are fully implemented and those that are planned or in progress. The POA&M is the companion document that specifically tracks gaps: practices that are not yet implemented, along with the actions, resources, responsible parties, and timelines required to close them. The SSP and POA&M should be cross-referenced, if your SSP marks a practice as "Planned," that practice must have a corresponding POA&M row.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.