POA&M is one of those acronyms that sounds bureaucratic and turns out to be simple. It is just a to-do list for your security gaps, with owners and dates. What matters is how differently the two CMMC levels treat it, because that difference decides whether you can file with open items or not.
What a POA&M is
A Plan of Action and Milestones lists every requirement you have not fully met, and for each one: the corrective action, who owns it, and the date it will be done. It is how the government, and an assessor, can see that you know where your gaps are and have a credible plan to close them.
A POA&M is not a way to avoid work. It is a commitment with a clock on it.
Level 1: zero POA&Ms allowed
At CMMC Level 1, there is no such thing as a POA&M. All 15 safeguarding requirements must be fully met at the time you affirm. There is no conditional status and no deferral.
Level 2: the 88 rule and the 180 day clock
At CMMC Level 2, POA&Ms are allowed, but under strict rules. Level 2 is scored out of 110. You can file with conditional status if:
- Your score is 88 or better, and
- Every remaining gap is POA&M eligible, and
- Every POA&M item closes within 180 days.
Close all the items in the window and your status converts to Final. Miss the window and the conditional status lapses. The 180 day clock is real and it is why gap prioritization matters.
What can never be a POA&M
Not every gap is deferrable. Two rules constrain what you can put on a Level 2 POA&M:
- A short set of requirements can never be POA&M'd. These must be fully met before you file, regardless of your score.
- Any requirement worth 5 points cannot be POA&M'd. The highest-impact requirements are gates, not deferrals.
You can see the point value and POA&M eligibility for every requirement on the Level 2 checklist, and on each individual requirement page.
POA&M vs SSP
People mix these up constantly. They are two different documents that work together.
| SSP | POA&M | |
|---|---|---|
| Answers | How you meet each requirement now | How you will close the ones you do not |
| State | Current | Future, with deadlines |
| Required? | Yes, always | When any requirement is open |
Learn more about the System Security Plan, the document a POA&M attaches to.
Frequently asked questions
What is a POA&M?
A POA&M, Plan of Action and Milestones, is a formal document that lists each security requirement a contractor has not yet met, the steps to fix it, who owns the work, and the date it will be complete. In CMMC it is how open gaps are tracked and closed under a deadline, and it is a required artifact when any requirement is not fully met.
Does CMMC Level 1 allow POA&Ms?
No. CMMC Level 1 does not allow POA&Ms or conditional status. All 15 safeguarding requirements must be fully met. A single requirement not met makes the whole Level 1 self assessment not met, with no option to defer it to a later date.
How do POA&Ms work at CMMC Level 2?
At Level 2 you can file with conditional status if your score is 88 or better out of 110 and every remaining gap is POA&M eligible. Each POA&M item must be closed within 180 days, after which the status converts to Final. A short set of requirements can never be placed on a POA&M, and any requirement worth 5 points cannot be either.
What is the difference between a POA&M and an SSP?
The System Security Plan (SSP) describes how you meet each requirement today. The POA&M describes how you will close the requirements you do not yet meet, with owners and deadlines. The SSP is the current state, the POA&M is the plan to fix the gaps. An assessment expects both.
How long do I have to close a POA&M?
180 days. At CMMC Level 2, every open POA&M item from a conditional assessment must be closed and verified within 180 days. Miss that window and the conditional status lapses. That deadline is why scoping and prioritizing your gaps up front matters so much.