Skip to main content
Compliance Guidance

The POA&M Process Under CMMC: What You Can — and Can't — Fix Later

A Plan of Action and Milestones sounds like a compliance escape hatch: fail a few controls, promise to fix them, get certified anyway. The actual rule is much narrower — and with CMMC Phase 2 paused and self-attestation carrying more weight than ever, knowing exactly what a POA&M can and can't cover matters more than it did a month ago.

Brandon Hancock, J.D., CMMC-RPPublished July 16, 2026Updated July 16, 20266 min read

A Plan of Action and Milestones sounds like a compliance escape hatch: fail a few controls, promise to fix them, get certified anyway. The actual rule is much narrower — and with CMMC Phase 2 paused and self-attestation carrying more weight than ever, knowing exactly what a POA&M can and can't cover matters more than it did a month ago.

The CMMC Program Rule allows a contractor who falls short on assessment day to still reach a Conditional CMMC Status — but only for a limited, defined slice of "not met" requirements, and only for a strict 180 days. The Plan of Action and Milestones, or POA&M, is not a general grace period. It's a narrow, rule-bound mechanism, and misunderstanding its limits is one of the more common — and more costly — mistakes contractors make heading into an assessment.

What a POA&M Actually Is

Under the CMMC Program Rule at 32 C.F.R. § 170.21, an Organization Seeking Assessment (OSA) that fails to meet every required security control can still achieve a Conditional CMMC Status by documenting a POA&M for select unmet requirements — provided the shortfall meets specific conditions. It is not available at all for Level 1 self-assessments: FAR 52.204-21's fifteen basic safeguards must be fully met, no exceptions, no plan-to-fix-later.

For Level 2, a POA&M is permitted only if the contractor's assessment score is at least 80% of the total possible Level 2 points, none of the unmet requirements carry a point value greater than one (with a narrow exception for unencrypted-but-employed CUI encryption), and none of the unmet requirements fall on a specific excluded list — including external connections controls, control of public information, physical access controls, and, notably, the System Security Plan itself (CA.L2-3.12.4). You cannot POA&M your way past not having a documented SSP. The same 80%-threshold structure applies at Level 3, with its own excluded list covering security operations center, incident response team, and supply-chain risk controls.

The 180-Day Clock

A POA&M is not indefinite relief. The regulation requires a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. For a Level 2 self-assessment, the OSA performs that closeout itself, the same way it performed the original self-assessment. For a Level 2 certification assessment, the closeout must be performed by the same C3PAO. For Level 3, DCMA's DIBCAC performs it. Miss the 180-day window without closing the gaps, and the Conditional status expires — there's no extension built into the rule.

Why This Matters More Right Now

The Department of War's July 2026 suspension of CMMC Phase 2 shifted enforcement, for the time being, back toward self-assessment and government-led review under NIST SP 800-171 Rev. 2 rather than mandatory third-party certification (see our coverage of the suspension). That doesn't reduce the value of understanding the POA&M rules — if anything, it raises the stakes. With fewer C3PAO assessments in the pipeline, more of the verification burden sits on the contractor's own self-assessment and SPRS affirmation. A POA&M that's built correctly, tied to real remediation work, and closed out on time is documented evidence of a good-faith compliance program. A POA&M used to paper over a control you have no real plan to fix is exactly the kind of gap DOJ's Civil Cyber-Fraud Initiative has pursued through False Claims Act settlements tied to inflated SPRS scores.

Building a POA&M That Holds Up

Treat every POA&M entry as something you may have to defend, not just document. That means a specific remediation plan with an owner and a date, evidence of progress before the 180-day closeout (not a scramble in month six), and confirmation up front that the requirement is actually POA&M-eligible under 32 C.F.R. § 170.21 — not just "not done yet." If a requirement is on the excluded list, there's no POA&M path; the control has to be implemented before you can achieve any Conditional status at all.

Key Takeaways

  • POA&Ms are narrow, not general. They're unavailable at Level 1 entirely, and at Level 2/3 they require an 80% score threshold, exclude high-value and safety-critical controls (including the System Security Plan), and cap the point value of what's eligible.
  • The 180-day closeout clock is hard. A Conditional CMMC Status expires automatically if the POA&M isn't closed by the deadline — there's no built-in extension.
  • With CMMC Phase 2 paused, self-assessment and SPRS accuracy carry more weight, not less. A properly built, honestly tracked POA&M is defensible evidence of a real compliance program; an inflated one is FCA exposure.

Check which framework and level actually apply to your contracts with Find My Requirements, work through the control-by-control detail on Frameworks, and use our compliance checklists and program-building guide to structure remediation before assessment day, not after.

---

This article is educational information about federal procurement and cybersecurity requirements. It is not legal advice, and it does not create an attorney-client relationship.

Primary source: 32 C.F.R. § 170.21, Plan of Action and Milestones requirements, CMMC Program Rule (eCFR).

Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?