← Custodia

POA&M Explained: What It Is and How It Works in CMMC (2026)

A Plan of Action and Milestones (POA&M) in plain English: what it is, why CMMC Level 1 allows none, how Level 2 uses the 88 rule and a 180 day closeout, and which requirements can never go on one.

By David Fuentes· Compliance Officer, CustodiaJuly 5, 20267 min read

POA&M is one of those acronyms that sounds bureaucratic and turns out to be simple. It is just a to-do list for your security gaps, with owners and dates. What matters is how differently the two CMMC levels treat it, because that difference decides whether you can file with open items or not.

What a POA&M is

A Plan of Action and Milestones lists every requirement you have not fully met, and for each one: the corrective action, who owns it, and the date it will be done. It is how the government, and an assessor, can see that you know where your gaps are and have a credible plan to close them.

A POA&M is not a way to avoid work. It is a commitment with a clock on it.

Level 1: zero POA&Ms allowed

At CMMC Level 1, there is no such thing as a POA&M. All 15 safeguarding requirements must be fully met at the time you affirm. There is no conditional status and no deferral.

Level 2: the 88 rule and the 180 day clock

At CMMC Level 2, POA&Ms are allowed, but under strict rules. Level 2 is scored out of 110. You can file with conditional status if:

  • Your score is 88 or better, and
  • Every remaining gap is POA&M eligible, and
  • Every POA&M item closes within 180 days.

Close all the items in the window and your status converts to Final. Miss the window and the conditional status lapses. The 180 day clock is real and it is why gap prioritization matters.

What can never be a POA&M

Not every gap is deferrable. Two rules constrain what you can put on a Level 2 POA&M:

  1. A short set of requirements can never be POA&M'd. These must be fully met before you file, regardless of your score.
  2. Any requirement worth 5 points cannot be POA&M'd. The highest-impact requirements are gates, not deferrals.

You can see the point value and POA&M eligibility for every requirement on the Level 2 checklist, and on each individual requirement page.

POA&M vs SSP

People mix these up constantly. They are two different documents that work together.

SSPPOA&M
AnswersHow you meet each requirement nowHow you will close the ones you do not
StateCurrentFuture, with deadlines
Required?Yes, alwaysWhen any requirement is open

Learn more about the System Security Plan, the document a POA&M attaches to.

Frequently asked questions

What is a POA&M?

A POA&M, Plan of Action and Milestones, is a formal document that lists each security requirement a contractor has not yet met, the steps to fix it, who owns the work, and the date it will be complete. In CMMC it is how open gaps are tracked and closed under a deadline, and it is a required artifact when any requirement is not fully met.

Does CMMC Level 1 allow POA&Ms?

No. CMMC Level 1 does not allow POA&Ms or conditional status. All 15 safeguarding requirements must be fully met. A single requirement not met makes the whole Level 1 self assessment not met, with no option to defer it to a later date.

How do POA&Ms work at CMMC Level 2?

At Level 2 you can file with conditional status if your score is 88 or better out of 110 and every remaining gap is POA&M eligible. Each POA&M item must be closed within 180 days, after which the status converts to Final. A short set of requirements can never be placed on a POA&M, and any requirement worth 5 points cannot be either.

What is the difference between a POA&M and an SSP?

The System Security Plan (SSP) describes how you meet each requirement today. The POA&M describes how you will close the requirements you do not yet meet, with owners and deadlines. The SSP is the current state, the POA&M is the plan to fix the gaps. An assessment expects both.

How long do I have to close a POA&M?

180 days. At CMMC Level 2, every open POA&M item from a conditional assessment must be closed and verified within 180 days. Miss that window and the conditional status lapses. That deadline is why scoping and prioritizing your gaps up front matters so much.

Keep reading
  1. CMMC Level 2
    CMMC 2.0 Explained: What Changed and What It Means (2026)

    CMMC 2.0 cut the model from five levels to three, brought back self assessment for many contractors, and is now the version phasing into DoD contracts. Here is what changed and what it means for you.

    Read →
  2. CMMC Level 1
    The Free CMMC Level 1 SSP Template (Fill-in-the-Blank), 2026

    Your SSP is the one document a prime will actually ask for. Here is the free template that gets you a defensible one in 60 minutes.

    Read →
  3. CMMC Level 1
    CUI vs FCI: What's the Difference? (With 12 Real Examples), 2026

    FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)