Back to Learning CenterRemediation

POA&M Management for CMMC: The Complete Guide

Not every control will be fully implemented on day one. A Plan of Action and Milestones tracks what needs fixing, by when, and at what cost.

What Is a POA&M?

A POA&M (Plan of Action and Milestones) is a formal document that tracks identified cybersecurity weaknesses and your remediation plan. Required by CA.L2-3.12.2, it's not just a nice-to-have — it's a core compliance artifact that assessors review during your CMMC assessment.

Every POA&M entry links a specific gap to the NIST 800-171r2 requirement it violates, documents a remediation plan with milestones, assigns responsible parties, and estimates the cost and timeline to fix. Think of it as your organization's security improvement roadmap.

POA&M in the CMMC Assessment

During a C3PAO assessment, not every control needs to be fully MET to receive certification. A limited number of controls can be placed on a POA&M, resulting in a conditional certification. However, there are strict rules:

  • 180-day remediation window — all POA&M items must be closed within 180 days of conditional certification. No extensions.
  • Not all controls are POA&M-eligible — certain high-priority practices must be fully implemented before assessment. These cannot be deferred.
  • Limited count — only a restricted number of controls can be on a POA&M. Exceeding this threshold means you don't qualify for conditional certification.

If your POA&M items aren't remediated within 180 days, your conditional certification may be revoked.This means you'd need to schedule and pay for a full reassessment. Take the 180-day window seriously — it's a hard deadline.

Anatomy of a POA&M Entry

An effective POA&M entry contains these essential fields:

Weakness / Gap

The specific control deficiency, linked to the NIST 800-171r2 requirement ID (e.g., AC.L2-3.1.1). Be specific about what's missing.

Priority Level

Critical, High, Medium, or Low — based on the risk the gap poses to CUI protection. Higher priority items should be remediated first.

Milestones

Discrete, measurable steps to remediation. Each milestone has a target date and responsible party. "Implement MFA on VPN by June 15" — not "improve access controls."

Due Date & Cost Estimate

Target completion date (within the 180-day window) and estimated budget for remediation — including tools, labor, and any third-party services.

Status

Open, In Progress, or Closed. The lifecycle tracks progression from identification through remediation to verification and closure.

Comments & History

Audit trail of updates, decisions, and progress notes. Assessors look for evidence of active management — not a document that was created and forgotten.

How Bedrock CMMC Handles POA&Ms

Bedrock CMMC's POA&M tracker includes all of these fields built in. Each entry is linked to the specific NIST 800-171r2 requirement, with milestone tracking, cost estimation, priority levels, assignee management, and a full comment history. Closing a POA&M item automatically updates your SPRS score and compliance dashboard.

See the POA&M tracker

Creating an Effective POA&M

1

Identify gaps from your self-assessment

Work through all 110 controls and document every NOT MET finding. Your self-assessment is the foundation of your POA&M.

2

Link each gap to the specific requirement

Every POA&M entry should reference the exact NIST 800-171r2 requirement ID. "MFA not implemented for remote access" links to IA.L2-3.5.3.

3

Set specific, measurable milestones

Break each remediation into discrete steps with dates. "Evaluate MFA solutions by April 1 → Deploy to VPN by April 15 → Enable for all remote users by May 1."

4

Assign owners and estimate costs

Every item needs a responsible person and a budget estimate. Without ownership, items don't get done. Without budget, remediation stalls at procurement.

5

Prioritize by risk

Address gaps that expose the most CUI first. Critical and High priority items should have the earliest milestones.

6

Review and update regularly

A POA&M is a living document. Review progress at least monthly as part of your continuous monitoring program. Update statuses, add comments, and adjust timelines as needed.

POA&M Lifecycle

Each POA&M item follows a clear lifecycle from identification through closure:

OpenIn ProgressClosed

Closed items can be reopened if a subsequent review or assessment reveals the remediation was incomplete. The POA&M maintains a full history of status changes, comments, and closure evidence.

In Bedrock CMMC, closing a POA&M item automatically updates your SPRS score and compliance dashboard. The full lifecycle — open, in progress, closed, and reopen — is tracked with timestamps and audit trails.

Common POA&M Mistakes

×
Vague milestones

"Improve access controls" is not a milestone. "Implement MFA on VPN for all remote users by June 15" is. Assessors want to see specific, measurable remediation steps.

×
Missing the 180-day deadline

The conditional certification window is non-negotiable. Organizations that don't start remediation immediately after assessment often run out of time.

×
Creating and forgetting

A POA&M that isn't actively updated signals to assessors that your security program isn't mature. Review progress monthly and document updates.

×
Putting ineligible practices on the POA&M

Certain high-priority controls cannot be deferred. Attempting to POA&M them will result in assessment failure, not conditional certification.

×
Not budgeting for remediation

POA&M items often require tool purchases, professional services, or infrastructure changes. Without budget approval, milestones slip.

Frequently Asked Questions

What is a POA&M in CMMC?

A Plan of Action and Milestones (POA&M) is a formal document that tracks identified cybersecurity weaknesses and your plan to remediate them. Required by CA.L2-3.12.2, it links each gap to a specific NIST 800-171r2 requirement, sets milestones with target dates, assigns responsible parties, and estimates remediation costs.

How long do I have to close POA&M items after a CMMC assessment?

You have 180 days from the date of conditional certification to close all POA&M items. This is a hard deadline with no extensions. If items remain open after 180 days, your conditional certification may be revoked and you would need a full reassessment.

Can all CMMC controls go on a POA&M?

No. Certain high-priority practices are not POA&M-eligible and must be fully implemented before assessment. These typically include controls related to access management, incident response capability, and multi-factor authentication. Your assessor will identify which specific controls cannot be deferred to a POA&M.

How does a POA&M affect my SPRS score?

Open POA&M items mean those controls are NOT MET, which reduces your SPRS score by the weighted value of each control (1, 3, or 5 points). As you close POA&M items and mark controls as MET, your SPRS score increases. Bedrock CMMC updates your SPRS score automatically as POA&M items are closed.

Continue Learning

Continuous Monitoring Guide

How to maintain compliance after certification — review schedules, health scoring, and avoiding drift.

Read Guide

The Assessment Process

How CMMC assessments work — self-assessment, evidence collection, and SPRS scoring.

Read Guide

Track Your Remediation Plan

Bedrock CMMC's POA&M tracker manages milestones, deadlines, cost estimates, and priorities — linked directly to the NIST 800-171r2 controls they remediate.

Start Free Trial See the Platform