A Plan of Action & Milestones (POA&M) documents known security deficiencies and the specific steps your organisation will take to remediate them. Under CMMC 2.0, POA&Ms play a critical but constrained role.
CMMC 2.0 POA&M Rules
| 180-day closeout | All POA&M items must be closed within 180 days of assessment results submission. No extensions. |
| Maximum open items | Limited number of practices can be on POA&M at time of assessment |
| Prohibited practices | Certain high-criticality practices cannot be placed on a POA&M (e.g., FIPS encryption, MFA) |
| Conditional certification | Organisations with open POA&M items receive conditional certification, finalised after closeout |
POA&M Fields
| Practice ID | The CMMC practice with a gap |
| Weakness Description | What is missing or incomplete |
| Remediation Plan | Specific actions to close the gap |
| Responsible Party | Individual or team accountable |
| Target Completion | Must be within 180 days for CMMC |
| SPRS Deduction | Point deduction this gap contributes |
POA&M Statuses
| Open | Gap identified, remediation not yet started |
| In Progress | Remediation activities underway |
| Completed | Remediation finished, pending verification |
| Verified | Confirmed effective — POA&M item closed |
| Overdue | Target date passed without closure |
