What is CMMC? What is NIST 800-171? The 110 controls SSP guide POA&M guide SPRS guide
How it works Pricing FAQ Log in Get started
A working primer

The POA&M guide.

The Plan of Action and Milestones is where you document what isn't fixed yet, who's fixing it, and when. A practical guide to making one assessors will accept.

The basics

What a POA&M is.

The Plan of Action and Milestones — usually shortened to POA&M, pronounced "poam" — is the second of CMMC's required documents. Where the SSP describes your current state, the POA&M tracks the gaps and your plan to close them.

Each item in a POA&M corresponds to a specific NIST 800-171 control that isn't yet fully implemented. The item documents what's missing, how you'll fix it, who's responsible, and when it'll be done. Together, those items form a credible roadmap from your current state to full compliance.

A common misconception: the POA&M is for catastrophic gaps only. It isn't. It's for any control where you haven't met the full requirement, regardless of severity. A control where you've implemented 80% of what's required still belongs on the POA&M, with the remaining 20% as the planned action.

!

What changed under CMMC 2.0

Under the original CMMC 1.0, contractors had to be fully compliant at certification — no POA&M items allowed at the time of assessment. CMMC 2.0 permits POA&Ms for select controls at certification, with closure required within 180 days. This is a significant practical concession that makes initial certification more achievable.

The structure

Anatomy of a POA&M item.

Each line in your POA&M is a distinct gap with a plan attached. The fields below are the standard ones DoD expects to see, drawn from the DIBCAC self-assessment template.

Sample POA&M items 3 open · last updated 2 days ago
Control
Gap description
Priority
Owner
Target
CM.L2-3.4.9
User-installed software not technically restricted on macOS endpoints. Will deploy app allowlist via Intune.
High
M. Chen
Jun 30, 2026
SI.L2-3.14.7
No formal user behavior baseline established. Will configure Entra ID Protection risk policies.
Medium
M. Chen
May 20, 2026
CA.L2-3.12.4
Continuous monitoring strategy not yet documented. Will draft and approve as Appendix C of SSP.
Low
P. Ramanathan
Jul 15, 2026

For each item, your POA&M needs to cover six things:

Control reference. The specific NIST 800-171 control ID this gap relates to (e.g., AC.L2-3.1.5). One control per row.

Gap description. A short, factual statement of what isn't yet implemented. Avoid vague language like "needs improvement" — describe the specific deficit. "MFA not enforced for service accounts in the Azure Government tenant" is concrete; "MFA partially implemented" isn't.

Planned remediation. What you'll actually do to close the gap. Reference specific tools, configurations, or processes. "Configure conditional access policy in Entra ID to require MFA for all service principals" beats "implement MFA everywhere."

Resources required. What it will take to fix — staff time, software licenses, third-party services, or budget. This signals to assessors that you've actually thought about feasibility.

Owner. A specific named individual responsible for closing the item. Not a team, not a department. One person whose name will be referenced if the item slips.

Target completion date. A realistic date by which the gap will be closed. CMMC 2.0 generally expects POA&M items to close within 180 days of certification, so most dates fall in that window.

Prioritization

Not every gap is equal.

Some gaps will fail your assessment if you don't close them. Others are documentation issues you can resolve in a week. Others still are real but lower-stakes. Treating them all the same wastes effort and signals to an assessor that you don't understand the relative risk.

A useful prioritization framework asks two questions for each gap: how likely is it to cause assessment failure, and how much effort does closing it require? The answers cluster into three tiers.

High priority

Gaps that materially affect your security posture and are likely to cause a finding during assessment. Close these first, even if remediation is expensive.

Example: MFA not enforced for privileged accounts. Encryption-at-rest missing on production CUI databases. No incident response plan documented.

Medium priority

Real gaps that need to be closed but won't necessarily fail your assessment if a credible plan is documented. Schedule these after high-priority items.

Example: Quarterly access reviews not yet established. Automated patching configured but not yet covering all endpoint families. Some training records incomplete.

Low priority

Documentation, formalization, and process maturity gaps. Important to close, but unlikely to cause assessment failure on their own. Often closeable in days.

Example: Sanctions policy exists in HR handbook but not formally cross-referenced in security policy. Continuous monitoring approach is implicit but not documented.

A useful sanity check

If you have ten high-priority items, you probably have a real readiness problem and should consider delaying assessment. If you have fifteen low-priority items, you're closer than you think and can probably move efficiently. Volume in the high-priority bucket is the signal that matters most.

Timelines

Realistic timelines.

The single biggest credibility issue in POA&Ms is unrealistic dates. Contractors under pressure to look ready often set target dates that are technically possible but practically unattainable — closing twelve major control gaps in thirty days, for instance. Assessors know what reasonable timelines look like, and aggressive dates without supporting detail create suspicion rather than confidence.

A few rules of thumb for credible target dates:

Documentation gaps: 1–4 weeks. Drafting a missing policy, formalizing an existing process, or creating a missing procedure rarely takes longer than this if it's prioritized.

Configuration gaps: 30–90 days. Tightening MFA, configuring conditional access, deploying endpoint protections, or implementing logging changes typically take a month or two with normal IT capacity.

Process gaps: 60–120 days. Establishing recurring access reviews, formal change management, or documented incident response takes time because it requires not just creating the process but running it once or twice to prove it works.

Architectural gaps: 90–180 days. Network segmentation, migrating to GCC High, replacing identity providers — these are real projects that take real planning. Don't promise to close them in a month.

CMMC 2.0 generally expects POA&M items to close within 180 days of certification. If a gap genuinely needs longer than that, you may not be ready for assessment yet — or you'll need to discuss the gap explicitly with your assessor before submission.

Operations

Maintaining the POA&M over time.

The POA&M is a living document, not a one-time deliverable. Assessors don't just want to see a current snapshot — they want to see evidence that you actually work the plan. This means the POA&M needs ongoing maintenance, not just initial creation.

Monthly review practices

  • Update status on each open item. Has the work started? Is it on track? Document the current state, not just the original plan.
  • Close items that are complete. When a gap is closed, mark it closed with the date and a brief note about the verification step (link to evidence, change ticket, screenshot).
  • Adjust target dates honestly. If a date will slip, change it and document why. Quietly missing dates and hoping nobody notices is the worst pattern.
  • Add new items as gaps emerge. Environments change. New tools get added, contracts shift, vulnerabilities surface. The POA&M should reflect reality, not stay frozen at certification.
  • Review overall trend. Are you closing items faster than you're adding them? If not, investigate why before an assessor asks.

What assessors look for during reassessment

At your next assessment cycle (typically every three years for Level 2), assessors will pull your POA&M and check whether items closed by their original target dates. A POA&M with consistent on-time closures is a strong signal of operational maturity. One with widespread slippage and stale items is a red flag, even if the SSP itself looks fine.

Pitfalls

Common mistakes.

Most POA&M problems aren't catastrophic — they're small accumulations of the same patterns. Here are the recurring ones.

Vague gap descriptions. "Improve access control" tells an assessor nothing. "Quarterly access review process not yet established for the Azure Gov subscription" tells them what's actually missing. Specificity in the gap description is what makes the planned remediation believable.

Aspirational target dates. Promising to close every open item within 30 days when half of them are architectural projects. The dates have to be realistic given the actual work required and the team's actual capacity.

No specific owner. "IT team" or "security" is not an owner. A POA&M item without a named individual rarely gets closed, and assessors know it.

Not maintaining the document. Drafting a POA&M for certification and never updating it again. By the time the next assessment comes around, half the items are stale and the credibility of the whole document is compromised.

Over-stuffing the POA&M. Treating it as a backlog of every conceivable improvement. Items should be specific, scoped to NIST 800-171 controls, and actually planned for closure — not vague aspirations.

Inconsistency with the SSP. The SSP describes a control as fully implemented; the POA&M lists it as a gap. Assessors notice these contradictions immediately. The two documents have to tell the same story.

SSP guide

The companion document. Your SSP describes current state; the POA&M describes the path to closing the gaps.

Read more →

The 110 controls

Plain-English summaries of every control your POA&M might reference.

Read more →

Don't draft your POA&M from scratch. Start with your gaps.

Baseline's interview generates a starter POA&M with your identified gaps, suggested priorities, and remediation guidance — ready for you to assign owners and target dates.

Get your readiness report Back to home