Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
GUIDE · POA&M MECHANICS

POA&Ms under CMMC 2.0. A scalpel, not a parachute.

CMMC 2.0 restored the Plan of Action and Milestones to certification, but within tight guardrails. Used surgically, a POA&M shortens your path to award. Used loosely, it is how certifications get revoked.

BY R. Vasquez, Lead Compliance Surgeon· Updated 2026-02-18· 8 min read

Contractors call us in two states. The first call: “We have a POA&M with 47 items on it and an award decision next quarter.” The second call: “We hit 110 of 110 and submitted to SPRS — can you confirm we are clear?” Both calls are misreads of how POA&Ms work under CMMC 2.0.

This article is the surgical read. What a POA&M is, what it is not, when you may use one, when you cannot, and what the assessor will demand when you do.

What a POA&M is — and is not

A Plan of Action and Milestones is a dated, owned, evidence-backed plan to close a control gap. It is a written commitment with three required elements:

  1. An identified, weighted control that is currently not fully implemented.
  2. A specified remediation activity with a target completion date.
  3. A named owner who is accountable for closure.

A POA&M is not a list of long-term improvements. It is not a backlog. It is not a tracker of features the security team would like to build. Items on a POA&M that do not fit the three-element definition above will be rejected on assessor read, and the certification path will halt.

POA&M eligibility rules

Under CMMC 2.0, only a constrained subset of controls is eligible to appear on a POA&M at certification. The constraint is driven by the SPRS weight of the control.

  • Weight 1 controls (POA&M eligible): Lower-impact controls where the absence of implementation does not undermine the protection objective. Examples include some training documentation gaps and a subset of audit-record retention details.
  • Weight 3 controls (POA&M eligible in limited cases): Moderate-impact controls. Eligibility is bounded by the overall score floor.
  • Weight 5 controls (NOT POA&M eligible): High-impact controls. These must be fully implemented at certification. Examples include FIPS-validated cryptography, multifactor authentication for privileged users, system boundary protection, and incident response reporting to DoD.
FIELD NOTE

If a partner offers to put a weight-5 control on your POA&M to “buy time,” end the engagement. The assessment will fail and the firm will not be answerable for it.

The 88-point minimum

SPRS scoring runs from a floor of −203 to a ceiling of +110. Every unmet control subtracts its weight from the starting score of 110. The CMMC 2.0 certification minimum is a calculated SPRS score of 88. Below that, no POA&M is permitted; the contractor cannot proceed to certification on the strength of a remediation plan alone.

Practically, this means a contractor must already be implementing at least 88 of 110 control points by weight, with the remaining gap concentrated in POA&M-eligible controls. The 88-point minimum is the gate before the POA&M discussion can occur.

The 180-day closure clock

Every POA&M item carried into certification must close within 180 calendar days of the certification date. Closure means the control is moved from POA&M to Implemented, with artifacts produced and reviewed. Failure to close within 180 days results in suspension of certification. Suspension halts award eligibility immediately.

We track POA&M closure inside the Annual Retainer engagement specifically for this reason. The 180-day clock arrives faster than most contractors anticipate, and the certificate value evaporates if it is missed.

Anatomy of a defensible POA&M entry

A POA&M entry that survives assessor read contains the following fields:

  1. Control identifier: The 800-171 control number (e.g., 3.5.3, 3.13.11).
  2. Assessment objective citation: The 800-171A determination statements that are not yet met.
  3. Current implementation status: What is in place today, with reference to the SSP section that documents it.
  4. Planned remediation: Specific technical and procedural actions, including the systems and stakeholders involved.
  5. Owner: Named individual, role, and reporting line. “The IT team” is not an owner.
  6. Target completion date: A specific date inside the 180-day window.
  7. Resourcing: Budget, headcount, or vendor engagement that supports the target date. Plans without resourcing fail.
  8. Verification method: How closure will be evidenced (configuration export, policy document, training record, log sample).

Each field maps to a question an assessor will ask. The POA&M is read first and read hardest. A defensible entry runs three to six lines per control, with crisp pointers to artifacts. A weak entry runs one line and fails on the first follow-up question.

How POA&Ms get certifications revoked

The three most common patterns we have read inside revocation conversations:

  • Weight-5 control found on a POA&M. Often the result of weight mis-tagging during gap assessment, or pressure from an unqualified consultant.
  • 180-day clock missed without re-cert. Contractors who treat the closure window as advisory rather than legal.
  • Annual affirmation submitted with stale evidence. The senior official affirms continued implementation, but a sampled control has drifted. This is treated as a material misrepresentation.

We use the POA&M instrument deliberately and sparingly. The right number of POA&M items at certification is typically between zero and seven. Over that count, the engagement is better served by extending Remediation Surge before certification rather than carrying the risk into a 180-day window.

15-MINUTE TRIAGE

Need this read by a partner?

Bring this article to a Contract Risk Audit and we will tell you, against your CAGE code and contract value, exactly where the risk sits.

Book a Contract Risk Audit →
RELATED READING
GUIDE

CMMC 2.0 vs CMMC 1.0: What Actually Changed

Read →GUIDE

DFARS 252.204-7012: The 14 Obligations You Must Document

Read →REFERENCE

CMMC Level 2: 110 Controls, SPRS, POA&M, Timeline

Read →