The Ultimate Guide to POAMs (Plan of Action and Milestones)

What is a POAM?

A POAM or POA&M (Plan of Action and Milestones) is a formal document that identifies and tracks gaps in CMMC compliance efforts. It lists select security requirements that are partially implemented or not implemented; with an adequate score and a POAM, organizations seeking certification can achieve “conditional CMMC status” without meeting all requirements. The POAM itself provides a detailed plan to remediate unmet requirements.  

In the CMMC and NIST world, the POAM is a key component of your cybersecurity strategy.  POAMs are traditionally accompanied by:  

A System Security Plan (SSP)

A Security Assessment Report (SAR)

Together, these documents form the foundation for how your organization manages risk and achieves compliance.  

Why is a POAM Needed?

A POAM is needed when your CMMC level 2 or 3 assessment identifies unmet requirements, landing you in a conditional status. It’s not just a checklist; it's a living roadmap for achieving and maintaining full CMMC level 2 or 3 compliance. Here's why it's needed:  

Regulatory requirement: CMMC and NIST 800-171 require organizations to document and resolve deficiencies.

Audit requirements: While you should never enter an audit knowing you do not meet all requirements, if you do, you must disclose those deficiencies.

Realistic compliance: Not every organization starts at 100%. A POAM allows you to move forward while addressing gaps.

Mitigation and risk management: It helps reduce security risks by tracking the resolution of vulnerabilities over time.

In the CMMC 2.0 model, conditional certification is possible even if your implementation isn't 100% complete, as long as only certain types of items are on your POAM. While in conditional status, you can be awarded contracts that require that level of compliance with up to 180 days to resolve deficiencies. 

What is the POAM Process?

The POAM process involves several key steps:  

1. Security Assessment: An assessment reveals deficiencies in your implementation of security controls.  
2. POAM Creation: Document each gap with the following:  

- Description of the deficiency

- Responsible party

- Mitigation strategy

- Estimated completion date

- Milestones to track progress

3. Prioritization: Focus on five-point and three-point controls first because missing these disqualifies you from conditional certification under CMMC.  
4. Remediation: Implement fixes and update the POAM.  
5. Closeout: After addressing all items, a closeout assessment verifies remediation before full CMMC certification.  If the initial assessment was a self-assessment, you will perform your own closeout assessment. If your initial assessment was a C3PAO assessment, your closeout assessment will be as well.

What kind of items can appear on a POAM?

In CMMC assessments, different controls are weighed differently in your score with 1-, 3-, and 5-point controls. Naturally, higher point value controls are the most important ones. Only select 1-point low-impact controls are allowed to be unmet for a temporary conditional CMMC status. Those allowable items can appear on a POAM to be addressed within 180 days.

Any issues outside of those allowable items will result in failure without a conditional status if they are unmet, including:

At level 2:

(A) AC.L2-3.1.20 External Connections (CUI Data).

(B) AC.L2-3.1.22 Control Public Information (CUI Data).

(D) PE.L2-3.10.3 Escort Visitors (CUI Data).

(E) PE.L2-3.10.4 Physical Access Logs (CUI Data).

(F) PE.L2-3.10.5 Manage Physical Access (CUI Data).

At Level 3:

(A) IR.L3-3.6.1e Security Operations Center.

(B) IR.L3-3.6.2e Cyber Incident Response Team.

(D) RA.L3-3.11.6e Supply Chain Risk Response.

(E) RA.L3-3.11.7e Supply Chain Risk Plan.

(F) RA.L3-3.11.4e Security Solution Rationale.

(G) SI.L3-3.14.3e Specialized Asset Security.

Note: You must achieve a minimum score of 80% (88/110) to qualify for a Level 2 or Level 3 conditional certification.  Be aware that Level 3 scoring is slightly different than level 2.

Conditional Status = POAM “closeout assessment” 

A POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment.

The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180-days of the Conditional CMMC Status Date.

If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.

Note: You must close out your Level 2 POAM and achieve “final” status in order to initiate a Level 3 assessment.

End Goal with POAMs

The end goal of a POAM is to reach and maintain full compliance with security requirements. Under CMMC Level 2, a POAM allows you to:  

Achieve conditional certification

Continue operating under contract

Buy time (up to 180 days) to fix low-priority deficiencies

Ultimately, you’ll need to close all open POAM items, especially before undergoing the closeout assessment.  If POAM items are not resolved and reassessed within 180 days, conditional status is lost and contractual remedies, such as termination of your contract or changes to future eligibility, can apply.

POAM Example

Let’s say your organization is missing the requirement to automatically log user activity (a one-point requirement). Here’s what your POAM entry might look like:  

Requirement ID: AU-2 (Audit Events) – use 3.1.1 and its assessment objectives

Status: Not Implemented

Deficiency: System currently does not automatically log user access or file access events.

Responsible Party: IT Security Manager

Mitigation Plan: Implement centralized logging through Microsoft Sentinel within GCC High environment.

Milestones:

Research and acquire logging tools (Due: Aug 1)

Configure audit policies in Windows (Due: Aug 15)

Deploy solution across production systems (Due: Aug 30)

Planned Completion Date: August 30, 2025

If this is your only missing requirement (and it’s eligible under CMMC rules), you could still receive conditional certification so long as your organization has a clear, actionable plan in place and executes it within 180 days.  

Final Thoughts

POAMs can be a useful tool in your compliance journey, but they are not a shortcut. The end goal is 100% implementation of all 110 controls in NIST 800-171. That’s the standard the Department of Defense expects, and it’s what assessors will measure.  

While a POAM can help you gain conditional certification, it should never become a goal or a crutch. Relying too heavily on POAMs or leaving too many items open puts your business at risk, especially if you fail to close them out within the 180-day window or if they involve high-priority controls.  

The only absolute path to long-term success is full, verified implementation of all requirements. If you're serious about securing contracts and protecting Controlled Unclassified Information (CUI), aim for 110 out of 110. Anything less should be the rare exception, not the plan.  

Need help building your POAM or preparing for CMMC certification? Connect with a reputable MSP, MSSP, or compliance consulting partner with real, verified success stories.  