A Plan of Action & Milestones (POA&M) documents known security deficiencies and the specific steps your organisation will take to remediate them. Under CMMC 2.0, POA&Ms play a critical but constrained role.
CMMC 2.0 POA&M Rules
180-day closeout
All POA&M items must be closed within 180 days of assessment results submission. No extensions.
Maximum open items
Limited number of practices can be on POA&M at time of assessment
Prohibited practices
Certain high-criticality practices cannot be placed on a POA&M (e.g., FIPS encryption, MFA)
Conditional certification
Organisations with open POA&M items receive conditional certification, finalised after closeout