Plan of Action & Milestones (POA&M)

A POA&M documents security gaps in your environment and tracks your plan to fix them. It's required alongside your SSP for CMMC Level 2 assessment.

Understanding POA&M

What is a Plan of Action & Milestones?

The document that tracks your security gaps and remediation timeline

A Plan of Action & Milestones (POA&M) is a document that identifies security weaknesses in your environment and outlines the specific steps, responsible parties, and timelines for remediation. Think of it as a project plan for fixing your compliance gaps.

Under CMMC 2.0, a POA&M is acceptable for controls that are not yet fully implemented at the time of assessment. However, there are strict rules: POA&M items must have a maximum 180-day remediation timeline, and certain critical controls cannot be on a POA&M at all.

The POA&M is a living document — you should update it regularly as you remediate gaps and as new gaps are discovered through audits, vulnerability scans, and incident response.

Key Limitations

! Maximum 180 days to remediate each POA&M item
! Certain controls are not POA&M-eligible (must be implemented before assessment)
! Assessor will verify POA&M progress at closeout assessment

Conditional Certification

If you pass your assessment with open POA&M items, you receive a conditional certification. You have 180 days to close all POA&M items and pass a closeout assessment to achieve full certification.

Document Structure

What Goes in a POA&M?

Each POA&M entry must include these required fields

Control Reference

The specific NIST 800-171 control that is not fully implemented (e.g., AC.L2-3.1.3).

Weakness Description

Clear description of the gap — what is missing or partially implemented and why.

Risk Level

Assessment of the risk this gap poses: High, Moderate, or Low. Based on likelihood and impact.

Remediation Plan

Specific steps to close the gap — tools to deploy, processes to implement, configurations to apply.

Milestone Dates

Target completion dates for each remediation step. Must be within 180 days of assessment.

Responsible Party

Name and role of the person accountable for completing the remediation. Not a team — a person.

Example

Sample POA&M Entry

Here's what a well-written POA&M entry looks like

L2 SC.L2-3.13.11 Encrypt CUI in Transit

Weakness

Internal file shares between CUI processing workstations and the file server (FS01) use SMBv3 but without required encryption. Traffic is unencrypted on the internal network segment.

Risk Level

MODERATE

Target Date

March 15, 2026

Responsible

J. Smith, IT Security Manager

Remediation Plan

Enable SMB encryption on file server FS01 via Group Policy (Week 1)
Test client connectivity and resolve compatibility issues (Week 2)
Deploy GPO to enforce encrypted SMB connections on CUI workstations (Week 3)
Validate with network packet capture showing encrypted traffic (Week 4)
Document evidence and update SSP narrative for SC.L2-3.13.11

POA&M Template Coming Soon

We're building a downloadable POA&M template with pre-populated control references, risk scoring guidance, and remediation timeline examples. In the meantime, explore our control pages for implementation guidance.

Browse Controls SSP Guide