CMMC POAMs: Guidelines and Limitations
What’s New (Updated POA&M Eligibility and Limits)
This blog has been updated to reflect the CMMC Final Rule (32 CFR Part 170), enforceable as of November 10, 2025. POA&Ms are now permitted only under specific, limited conditions for Level 2 and Level 3 requirements, with strict eligibility rules and a 180-day closeout window. All references to POA&Ms being broadly available or part of a future compliance process have been updated to reflect current enforcement.
Understanding CMMC Requirements in Today’s Compliance Environment
Whether you are learning about Cybersecurity Maturity Model Certification (CMMC) or already started a System Security Plan (SSP) and self-assessment, you may be concerned that your organization does not currently meet all the required 110 National Institute of Standards and Technology Special Publication (NIST SP) 800-171 controls.
While a Plan of Action and Milestones (POA&M or POAM) can help bridge the gap in the interim, there are some caveats worth keeping in mind. In this post, we’ll outline how a CMMC POAM fits into the other steps you must take on the journey to a CMMC-compliant status and share POA&M limitations and guidelines.
If you are unfamiliar with many of the preceding acronyms, then please read these two posts that share an overview of CMMC and NIST SP 800-171. Although POA&Ms may provide limited, time-bound remediation opportunities under the Final Rule, you still must create an SSP and satisfy the majority of the NIST SP 800-171 controls before beginning the formal certification process, which benefits from a foundational understanding of CMMC/NIST.
What Is a POA&M in CMMC Compliance?
A POA&M is a document that identifies tasks an organization must accomplish to resolve security weaknesses. This document details the resources required to accomplish elements of the plan, any milestones for meeting the tasks, and scheduled completion dates, among other information.
Previously, the Department of Defense (DoD) did not allow organizations to use a Plan of Action and Milestones during the CMMC compliance process. However, under CMMC 2.0, contractors meeting most of the controls laid out by NIST SP 800-171 can use time-limited POA&Ms to maintain contracts. Under the Final Rule, contractors that meet strict eligibility criteria may use time-limited POA&Ms for certain non-critical controls, achieve full CMMC compliance at level 2 or level 3. This contingency plan ensures organizations have time to implement CMMC 2.0 requirements and correct cybersecurity vulnerabilities without losing valuable contracts.
How POA&Ms Impact the CMMC 2.0 Assessment Process
First, determine which CMMC 2.0 maturity level applies to your organization. The DoD only allows POA&Ms for CMMC levels 2 and 3.
Your organization will begin preparing for a CMMC 2.0 assessment by:
- Performing a gap analysis against the 110 NIST SP 800-171 controls.
- Developing an SSP that documents your current cybersecurity posture.
- Completing a self-assessment and reporting the score to the Supplier Performance Risk System (SPRS).
Self-assessment scores range from -203 to 110, and a minimum SPRS score of 88 is required to be eligible for a Conditional Level 2 assessment under the Final Rule.
CMMC POAM Requirements and Limitations
Beginning the formal CMMC assessment process with a CMMC Third-Party Assessor Organization (C3PAO) requires a SPRS score of at least 88. Each NIST SP 800-171 control is worth 1, 3, or 5 points, and POA&Ms are only allowed for 1-point controls, excluding the following 1-point CMMC CUI controls for CMMC level 2:
- AC.L2-3.1.20 – External Connections (CUI Data)
- Verify and control/limit connection to and use of external systems.
- AC.L2-3.1.22 – Control Public Information (CUI Data)
- Control CUI posted or processed on publicly accessible systems.
- PE.L2-3.10.3 – Escort Visitors (CUI Data)
- Escort visitors and monitor visitor activity.
- PE.L2-3.10.4 – Physical Access Logs (CUI Data)
- Maintain audit logs of physical access.
- PE.L2-3.10.5 – Manage Physical Access (CUI Data)
- Control and manage physical access devices.
One 5-point control may also permit a POA&M, SC.L2-3.13.11, if it is partially met—encryption is employed but is not Federal Information Processing Standard (FIPS) validated—reducing a SPRS score by 3 points instead of 5.
For reference, these POA&M guidelines are defined in the CMMC Final Rule: Section 170.21 on POA&Ms. View additional POA&M control exemptions for CMMC maturity level 3 in the linked section. POA&Ms are not permitted for CMMC maturity level 1 controls.
What a CMMC POA&M Must Include
Each POA&M you open must contain the following information necessary for review and approval by a third-party assessor or for a self-assessment submission:
- The relevant control
- The responsible party
- Planned actions to meet the control
- Start and completion dates
- Milestones to meet and interim completion dates
- The actual actions taken
- Status (ongoing or complete)
Closing Out a POA&M
Your organization must resolve identified vulnerabilities and close out the POA&M within 180 days of receiving a Conditional Level 2 certification, as required by the Final Rule.
If the POA&M was created during an annual self-assessment, your organization will perform the closeout assessment. If it was identified by a C3PAO or certified CMMC assessor during a triennial assessment, the third party will perform the closeout assessment, which may require an additional on-site visit.
Example Scenario: How a Mid-Sized Supplier Uses POA&Ms
Imagine a mid-sized defense subcontractor that scores an 89 on its SPRS self-assessment. While most controls are met, the company has three open items that qualify for POA&Ms.
Using a structured tracking tool, the supplier:
- Assigns remediation tasks to IT staff
- Sets automated due dates for closure
- Uploads evidence of completed fixes
- Tracks overall progress toward compliance
By systematically addressing POA&Ms within the 180-day window, the organization not only protects its DoD contracts but also improves its long-term cybersecurity posture.
Streamline Your Compliance Journey Today
Complying with DoD standards can be a complex and time-consuming process. Exostar’s Certification Assistant™ is a cloud-based tool designed to streamline the CMMC self-assessment process in alignment with NIST SP 800-171 and CMMC. Simplify your CMMC compliance journey with a secure tool where you can:
- Complete your self-assessment
- Calculate your SPRS score
- Generate your SSP with one click
- Securely store and handle documentation
If your organization needs to create POA&Ms, Certification Assistant™ provides a user-friendly interface in which you can manage and track the entire process, including setting a due date, showing open POA&Ms, assigning them to responsible internal or external parties, displaying action items, and notifying parties of overdue tasks.
If your organization is relying on POA&Ms to close remaining gaps, now is the time to ensure they are eligible, well-documented, and achievable within the Final Rule’s strict timelines. Explore tools that help defense contractors manage SSPs, SPRS scoring, and POA&M tracking in a centralized, assessment-ready environment
Certification Assistant™ enables your organization to gather all necessary documentation for outside assessors in one secure space to readily satisfy third-party assessments.
Purchase Certification Assistant™ or request your free trial today. Exostar® endeavors to make CMMC compliance simple and affordable for prime and subcontractors—please connect with an expert to learn more.
Here’s What You Need to Do Now
To comply with the Final Rule, organizations should verify whether POA&Ms are permitted for their required CMMC level, confirm SPRS score eligibility, and identify which NIST SP 800-171 controls are excluded from POA&M use. Ensure SSPs accurately reflect current control implementation, assign ownership for POA&M remediation, and plan to close all eligible POA&Ms within the 180-day window. Preparing documentation and evidence upfront reduces the risk of failing a conditional assessment.
