Plan of Action and Milestones
Also known as: POA&M, POAM
A Plan of Action and Milestones (POA&M) is a written document that identifies security weaknesses, the corrective actions planned to address them, and the milestones for doing so. POA&Ms are permitted at CMMC Level 2 (for limited categories of controls, with closure timelines) but are NOT permitted at Level 1 — Level 1 requires full implementation before affirmation.
Related terms
- Binary Assessment
Binary assessment is the CMMC Level 1 scoring model in which each of the 15 safeguarding requirements is rated either MET or NOT MET — there is no partial credit, no point value, and no Plan of Action and Milestones (POA&M) permitted. The organization must achieve MET on all 15 requirements to be compliant.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.