What is a CMMC POA&M?

A POA&M (Plan of Action and Milestones) is the documented plan for remediating open findings in a CMMC compliance program. It tracks identified control gaps, planned remediations, milestones, target completion dates, and status updates. It's a required artifact at CMMC Level 2 and is evaluated by the C3PAO during assessment.

Can I pass CMMC Level 2 with open POA&M items?

Yes — a nonzero POA&M is expected and normal. CMMC Level 2 scoring out of 110 points allows up to 22 points of findings on the POA&M as long as no single control fails in a way that materially impacts the security posture. Specific critical controls (e.g., MFA implementation, FIPS-validated crypto) cannot be on the POA&M if they're foundational to the authorization.

What is the maximum number of open POA&M items for CMMC Level 2 certification?

There is no strict item count cap — the limit is the total point value on the POA&M (approximately 22 of 110 possible points, depending on CMMC final rule interpretation). Some controls are worth 1 point, some 3, some 5. A POA&M with many 1-point findings can still pass if the total is under the threshold. A POA&M with a 5-point finding on a critical control may still fail even if the count is low.

How long do POA&M items typically stay open?

CMMC expects POA&M items to have realistic remediation targets, typically 30-180 days. Items that have been open for over 12 months without progress are red flags to assessors. Some assessors expect the POA&M to be worked actively between annual assessments with quarterly update cycles.

Are there controls that cannot be on a POA&M for CMMC Level 2?

Yes. The final CMMC rule identifies specific controls as 'must-pass' — they cannot have findings on the POA&M and still achieve Level 2 certification. These typically include foundational access control, multi-factor authentication, and FIPS-validated cryptography controls. The specific list is part of the CMMC Assessment Guide for Level 2.

Who writes the POA&M?

The contractor writes the POA&M, typically via the internal compliance lead or an outside consultant. The C3PAO assessor does not author the POA&M — they review it as part of the assessment. Each POA&M entry ultimately ties back to a finding from internal assessment, gap analysis, or ongoing continuous monitoring.

CMMC POA&M: What Assessors Accept and Reject

The POA&M — Plan of Action and Milestones — is a required artifact for CMMC Level 2 certification. It tracks the remediation of identified control gaps with milestones and target dates. It is not a reporting form; it is a working document that the assessor uses to evaluate both the current compliance posture and the organization’s ongoing discipline in closing gaps.

The CMMC Assessment Guide does not tightly specify the format or tone of a POA&M. As a result, POA&Ms across the DIB vary widely in quality — from terse spreadsheets with three-word remediation plans to structured documents with clear root-cause analysis and realistic timelines. A well-written POA&M is a credibility-building document; a poorly written one signals a weak program.

This article is the practitioner’s guide to POA&M structure, content, and tone. It reflects what we include in the POA&Ms we maintain for clients in CMMC Level 2 engagements. For broader engagement context, see the realistic CMMC Level 2 timeline and what assessors actually look for at Level 2.

What a POA&M must include

Every POA&M entry must contain enough detail for an outside reader (primarily the C3PAO assessor) to understand:

What is the finding? Specific control (e.g., AC.L2-3.1.5), specific gap description.
What is the planned remediation? Concrete action, not vague intent.
Who owns it? Named role or named individual responsible for closure.
When will it close? Realistic target date.
What is the current status? Not started, in progress, implementation complete, verification pending, closed.
What is the risk exposure while the gap is open? Residual risk and any compensating controls mitigating it.

The structure below is what we recommend — it is more than the strict minimum but scales from very simple programs to complex ones.

POA&M entry structure

Each entry should contain the following fields:

Field	Description
POA&M ID	Unique identifier (e.g., POAM-2026-0042)
Finding source	Internal assessment, C3PAO assessment, surveillance, continuous monitoring, customer finding
Control reference	Exact CMMC practice identifier (e.g., AC.L2-3.1.5)
Finding description	What is the gap, specifically
Root cause	Why does the gap exist (process gap, tooling gap, resource gap, prior decision)
Impact if unaddressed	What could happen if this is never closed
Compensating controls	What other controls mitigate the risk while this is open
Planned remediation	Specific action plan
Milestones	Intermediate checkpoints with dates
Target completion date	Date the remediation is expected to close
Owner	Named responsible role or individual
Current status	Not started / In progress / Implementation complete / Verification pending / Closed
Last updated	Date of most recent status change
Risk acceptance (if applicable)	Formal risk acceptance reference if the decision was to accept rather than remediate

This level of detail is more than many organizations maintain. The reason we recommend it: the POA&M is the document the assessor reads most carefully. A detailed, well-maintained POA&M signals operational maturity. A thin POA&M signals either that the program lacks discipline or that the organization is hiding findings.

Anonymized example entries

Here are four POA&M entries that represent different finding categories. Each is anonymized — these patterns are common, the specifics are generalized.

Example 1: Process gap with clear remediation path

POA&M ID: POAM-2026-0017
Finding Source: Internal assessment
Control Reference: AU.L2-3.3.5 (Audit and Accountability — correlate audit records)
Finding Description: Current SIEM aggregates logs from production cloud environments
and endpoint EDR but does not correlate events across identity provider sessions
with endpoint activity. Correlation rules exist for some patterns but do not cover
the identity→endpoint→application chain that would detect lateral movement scenarios.
Root Cause: SIEM implementation completed in prior quarter; correlation rules were
scoped to single-source patterns. Cross-source correlation was deferred to a
subsequent phase of the observability program.
Impact if Unaddressed: Reduced detection capability for lateral movement and
credential abuse scenarios. Not a direct control failure — the logs are captured
and retained — but the correlation is a compensating control the Level 2 baseline
expects.
Compensating Controls: Endpoint EDR generates alerts on anomalous process
behavior independent of correlation; identity provider has anomaly detection on
authentication patterns. These alerts are reviewed by the security engineering
team daily.
Planned Remediation: Deploy cross-source correlation rules covering identity,
endpoint, and application log sources. Initial rule set targets authentication
anomaly → endpoint behavior correlation and data exfiltration patterns.
Milestones:
  - Rule set design: 2026-05-15
  - Initial deployment to staging: 2026-06-01
  - Production deployment and tuning: 2026-07-15
  - Closed with tested alert coverage: 2026-08-15
Target Completion Date: 2026-08-15
Owner: Security Engineering Lead
Current Status: In Progress (rule set design phase)
Last Updated: 2026-04-22

This entry is specific, attributable, and closable. An assessor reading it understands the gap, believes the remediation plan is feasible, and can ask concrete questions if skeptical.

Example 2: Tooling gap requiring procurement

POA&M ID: POAM-2026-0023
Finding Source: C3PAO preliminary review
Control Reference: CM.L2-3.4.8 (Configuration Management — application allowlisting)
Finding Description: Application allowlisting is implemented on Windows endpoints
via Microsoft AppLocker. macOS endpoints (approximately 30% of the fleet) do not
have equivalent application allowlisting — they have EDR with behavioral detection
but no enforcement-level application control.
Root Cause: Primary allowlisting tool selected for Windows parity; macOS
equivalent requires separate tooling which was not procured during initial
deployment.
Impact if Unaddressed: Reduced enforcement of allowed application inventory on
Mac endpoints. macOS users could execute unapproved applications if EDR
behavioral detection does not flag them.
Compensating Controls: EDR deployed on all macOS endpoints with behavioral
detection rules tuned for known-malicious patterns. MDM (JAMF) restricts
application installation to approved sources.
Planned Remediation: Procure and deploy macOS application control tooling. Three
candidate tools under evaluation; selection expected 2026-05-30. Deployment to
follow a 6-week phased rollout.
Milestones:
  - Tool selection: 2026-05-30
  - Procurement and licensing: 2026-06-15
  - Pilot deployment on engineering team: 2026-07-15
  - Full deployment: 2026-08-30
  - Tuning and verification: 2026-09-30
Target Completion Date: 2026-09-30
Owner: IT Systems Lead
Current Status: Not started (tool evaluation in progress)
Last Updated: 2026-04-22

This entry identifies a gap the assessor specifically raised and shows a procurement-driven remediation path. Assessors accept procurement-driven remediations because they understand the business reality.

Example 3: Accepted risk with compensating controls

POA&M ID: POAM-2026-0041
Finding Source: Continuous monitoring
Control Reference: PS.L2-3.9.2 (Personnel Security — terminate personnel security actions)
Finding Description: Contractor offboarding process has a 72-hour window between
contractor access termination notification and actual revocation of all accesses
across downstream systems. The access control plane acts immediately; downstream
systems that synchronize from the access control plane (access reviews, approval
systems, log systems) catch up within 72 hours.
Root Cause: Sync cadence on downstream systems is on a 24-hour cycle; worst-case
propagation is 72 hours after the initial termination signal.
Impact if Unaddressed: During the sync window, the terminated contractor's
identifier is still referenced in downstream systems, creating a small risk of
confusion in access reviews and a theoretical risk of stale access if any
downstream system were compromised during the window.
Compensating Controls: Primary access control is revoked immediately — the
contractor cannot actually authenticate to systems during the sync window.
Logging captures any access attempts, and the identity provider flags any
attempt using a terminated identifier.
Planned Remediation: Decision to accept the residual risk. Downstream system
sync cadence is constrained by commercial tooling and infrastructure cost
considerations. The residual risk is low because primary access is terminated.
Risk Acceptance: RA-2026-0014 (approved by CISO 2026-04-10)
Milestones:
  - Risk acceptance approved: 2026-04-10 (completed)
  - Annual review of residual risk: 2027-04-10
Target Completion Date: N/A (accepted risk)
Owner: CISO
Current Status: Closed (risk accepted)
Last Updated: 2026-04-10

This entry is a risk-accepted finding. Risk acceptance is legitimate but requires explicit documentation — a decision by the named risk owner, with rationale, compensating controls, and a review date. Assessors accept risk acceptances when the documentation is rigorous.

Example 4: Incident-driven remediation

POA&M ID: POAM-2026-0058
Finding Source: Internal incident review
Control Reference: IR.L2-3.6.1 (Incident Response — incident response plan)
Finding Description: Quarterly tabletop exercise in Q1 2026 identified that the
incident response runbook for insider threat scenarios is less detailed than
external-threat runbooks. Specifically, the steps for escalation to HR and legal
during an insider threat investigation are underspecified, and the evidence
preservation procedures for internal user accounts are not defined.
Root Cause: IR plan was authored with external-threat scenarios as the primary
design case. Insider threat was covered generally but without the specific
operational detail external threats received.
Impact if Unaddressed: During a real insider threat incident, responders would
have to make decisions about HR coordination and evidence preservation under time
pressure without documented guidance. Increased risk of evidentiary integrity
issues or HR/legal conflicts.
Compensating Controls: General IR plan covers the major scenario patterns and
includes escalation paths. HR and legal have been briefed on the IR program and
are reachable at any time.
Planned Remediation: Add insider threat-specific sections to the IR plan
covering HR coordination, evidence preservation, and investigation containment.
Conduct follow-up tabletop specifically on insider threat scenario using the
updated runbook.
Milestones:
  - IR plan section drafted: 2026-05-10
  - Review with HR and legal: 2026-05-30
  - Final IR plan update: 2026-06-15
  - Tabletop exercise using new runbook: 2026-07-15
Target Completion Date: 2026-07-15
Owner: Security Engineering Lead + HR Business Partner
Current Status: In Progress (drafting phase)
Last Updated: 2026-04-22

This entry shows a finding generated by the organization’s own ongoing program — not by an assessor or external reviewer. POA&Ms that include self-identified findings signal program maturity; POA&Ms that only contain findings from external sources signal a passive program.

What assessors look for

Based on our engagements with multiple C3PAOs, assessors specifically evaluate a POA&M for:

Completeness. Every finding identified in the program — internal assessment, prior C3PAO findings, continuous monitoring, surveillance audits — is represented. A POA&M with zero entries is itself a finding; real programs have findings.

Specificity. Each entry describes a specific control gap with specific remediation. Vague entries (“improve access control procedures”) signal weak analysis.

Ownership. Each entry has a named owner. “TBD” or “IT team” without a specific role is insufficient.

Realism. Target completion dates are realistic. Entries with targets three years in the future without staged milestones are red flags. Entries with targets next week that have been open for three months are worse.

Activity. Entries show recent updates. An entry last updated six months ago that is still “In Progress” is a red flag; it either means the status is stale or the remediation has stalled.

Tone. Entries are written in operational, specific language. Legalistic or defensive language suggests the organization is hiding rather than managing.

Common POA&M mistakes

Three recurring patterns that weaken POA&Ms:

Vague remediation plans. “Implement better logging” is not a remediation plan. “Deploy cross-source correlation rules for authentication anomaly patterns, targeting production deployment in July 2026” is. Specificity signals seriousness.

Stale entries. POA&Ms that are updated only at assessment time show a program that is reactive rather than continuous. Assessors notice — they look at last-updated dates across entries.

Hiding findings. Omitting findings that the organization has identified internally hoping the assessor won’t ask is high-risk strategy. If the assessor discovers an omitted finding, credibility of the rest of the POA&M is compromised. Better to include and document honestly.

Over-long risk acceptances. Risk acceptance is legitimate, but a POA&M dominated by accepted risks suggests the organization is declining to remediate rather than genuinely evaluating risks. Three or four accepted risks in a program is reasonable; thirty is a flag.

POA&M lifecycle

A POA&M is a living document. The lifecycle:

Finding identification. Gap identified through internal assessment, C3PAO review, incident, continuous monitoring, or customer finding. Entry created.
Analysis. Root cause determined, impact assessed, remediation scoped. Entry detailed.
Planning. Milestones defined, owner assigned, target date set.
Remediation. Work performed. Status updated as milestones close.
Verification. Implementation verified — testing, observation, evidence capture.
Closure. Entry marked closed with closure evidence referenced.

Some entries follow an alternate path — risk acceptance instead of remediation. Risk acceptance has its own lifecycle: rationale documented, approval obtained, compensating controls specified, review date set.

When to engage

For organizations approaching first CMMC Level 2 assessment, outside advisory helps most with the initial POA&M structure and with the remediation planning for the larger findings. Our CMMC practice builds POA&M structure into every engagement from the beginning — findings surface during implementation, remediation is planned continuously, and the POA&M enters the C3PAO assessment as a mature document rather than an assessment-week scramble.

CMMC POA&M done right: what to include, anonymized examples, and what assessors accept