Almost no small contractor walks into a CMMC Level 2 assessment with all 110 controls perfectly implemented. The DoD knows that. That's why the POA&M exists — a structured way to say "here's what I haven't finished yet, and here's exactly how and when I'll finish it."
But the POA&M is not a loophole. It comes with hard limits on what you can defer, how much you can defer, and how long you have to close it. Misunderstand those rules and you can fail an assessment you thought you were passing.
What Is a POA&M?
POA&M stands for Plan of Action and Milestones. It's a document that lists every control you haven't fully met, and for each one records:
- The deficiency — which control is not met and why
- The remediation plan — the specific actions to fix it
- The owner — who's responsible
- The milestones and target date — when each step gets done
If the SSP is the "here's how everything is implemented" document, the POA&M is the "here's what's still on my to-do list" document. The two are a matched pair — every gap admitted in the SSP should appear on the POA&M.
Can You Pass CMMC With Open POA&M Items?
Yes — conditionally, and within strict limits. CMMC Level 2 has two outcomes when you have open items:
| Status | What It Means |
|---|---|
| Conditional | You scored high enough to be certified, but a limited number of controls are on a POA&M. You have 180 days to close them. |
| Final | All 110 controls are met (either at assessment or after closing the POA&M). This is full certification. |
To qualify for Conditional status, you must hit a minimum implementation score: at least 88 of 110 (an 80% implementation score under the DoD's weighted methodology). Below that, a POA&M won't save you — you simply don't pass.
Which Controls Can't Go on a POA&M?
This is the part that trips people up. The highest-weighted controls cannot be deferred at all. They must be fully implemented when the assessor shows up. In general:
- Controls worth 5 points and 3 points generally must be met outright — they're not eligible for a POA&M.
- Only the 1-point controls can typically be placed on a POA&M, and even then only up to the score threshold.
Several specific safeguards are effectively non-negotiable at assessment time, including:
- Multifactor authentication (MFA) for network and privileged access
- FIPS-validated encryption protecting CUI at rest and in transit
- Incident response capability
The 180-Day Clock
A Conditional certification is not the finish line — it's a countdown. From the assessment date, you have 180 days to:
- Complete every remediation item on the POA&M, and
- Pass a closeout assessment where the C3PAO verifies each item is actually fixed.
Miss the window and the conditional status lapses — you no longer hold a valid Level 2 certification, which can put contract eligibility at risk. The 180 days move fast, especially if remediation requires buying tools, changing providers, or reconfiguring systems.
The smart move is to treat the POA&M as a tool for genuinely minor, in-progress items — not as a way to defer real work you haven't started.
How to Write a POA&M That Holds Up
A good POA&M entry is specific and verifiable. Compare:
| Weak | Strong |
|---|---|
| "Improve logging. Target: Q3." | "Deploy centralized log collection (Microsoft Sentinel) covering all 12 endpoints and 2 servers; configure 90-day retention; owner: J. Smith; milestone 1 (deploy) Aug 15; milestone 2 (verify alerts) Aug 30." |
The assessor needs to read your entry and know exactly what "done" looks like. Vague POA&M items invite findings and make your closeout assessment harder.
Know which gaps you can defer — and which you can't
CMMC Map scores all 110 controls the way the DoD does, flags the high-weight controls you must fix first, and builds your POA&M with the right milestones and dates.
Start Your Free 14-Day TrialThe Bottom Line
The POA&M is a legitimate and expected part of CMMC — but it rewards honesty and precision, not procrastination. Hit at least 88/110, keep your high-weight controls fully implemented, write specific and dated remediation steps, and close everything inside 180 days. Do that and the POA&M works exactly as intended: a bridge from "almost ready" to fully certified.