When a Defense Industrial Base contractor first reviews the CMMC requirements, the question usually comes up within the first hour: "What if we can't meet all 110 controls by our assessment date?" The Program Management Office anticipated this. They created a mechanism called a Plan of Action and Milestones—commonly shortened to POA&M—that allows contractors to defer implementation of certain controls under specific conditions. The mechanism exists, but it's more limited than most organizations assume.
I've watched multiple contractors build their entire CMMC timeline around the assumption that POA&Ms will cover their gaps. That's a strategic error. A POAM CMMC approach is not a general extension on your homework. It's a tightly bounded exception with clear eligibility rules, specific time limits, and real consequences if you misunderstand the boundaries.
What a POA&M Actually Is in the CMMC Context
A Plan of Action and Milestones is a formal document that identifies a control deficiency, explains why the deficiency exists, outlines the steps required to close it, assigns responsibility, and sets a completion timeline. The concept originated in federal IT security management practices and has been part of NIST frameworks for years. CMMC 2.0 adopted the mechanism but applied specific constraints that don't exist in other contexts.
In CMMC, a POA&M allows an organization to receive certification despite having identified gaps in their implementation of specific security controls. The contractor documents the gap, commits to a remediation plan, and the C3PAO (CMMC Third Party Assessment Organization) issues certification contingent on the POA&M being completed within the defined timeframe.
The key word is "contingent." Your certification is conditional. If you fail to close the POA&M within the allowed window, your certification becomes invalid. You don't just lose points or face a slap on the wrist—you lose the certification entirely and cannot bid on contracts requiring CMMC compliance until you remediate and potentially reassess.
When POA&Ms Are Permitted Under CMMC 2.0
CMMC 2.0 allows POA&Ms only at Level 2. There are no POA&Ms at Level 1. If you're pursuing Level 1 certification through self-assessment, you either meet all the requirements or you don't. The scope is narrow enough—17 controls from NIST 800-171—that the Program Management Office decided a deferral mechanism wasn't necessary.
At Level 2, you're implementing all 110 practices from NIST 800-171. The rule is simple: you may have POA&Ms for up to five controls. Not five categories. Not five domains. Five individual practices. If you have six deficiencies, you fail the assessment. The ceiling is firm.
This is where I see organizations make their first planning mistake. They conduct a gap assessment, identify eight or ten controls they're struggling with, and assume they can phase the work. You can't. You need to get that list down to five or fewer before the assessment, or you're not ready.
The Scoring Threshold You Must Meet
Even with up to five POA&Ms, you still need to achieve a minimum score of 88 out of 110 points on the assessment. Most NIST 800-171 practices are worth one point, but some have higher weights. The math matters. You can't simply defer your five hardest controls and assume you'll clear the threshold. You need to map which controls you're deferring, confirm their point values, and verify that your implemented controls get you to 88.
I've reviewed remediation plans where the contractor planned to defer controls worth six or seven points total, which would have left them at 103 or 104 points implemented—well above the threshold. But I've also seen plans that would have resulted in an 85 or 86, which means automatic failure regardless of how solid the POA&M documentation was. Run the numbers before you commit to a timeline.
Controls That Are Eligible for POA&Ms (and Those That Aren't)
Not all controls are eligible for deferral. CMMC 2.0 designates certain practices as critical to the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These cannot be deferred under any circumstances.
The ineligible controls include foundational practices like access control, incident response, media protection, physical protection, and system and communications protection practices that directly safeguard CUI. The full list is published in the CMMC Assessment Guides, and it's not negotiable. If you have a deficiency in one of these areas, you must remediate it before the assessment. A POA&M won't save you.
Eligible controls tend to be in areas like audit and accountability, configuration management, risk assessment, and security assessment—practices that improve your security posture but aren't immediately critical to preventing a breach or exfiltration of CUI. For example, you might defer full implementation of automated audit log review if you have manual processes in place, but you can't defer the requirement to generate logs in the first place.
The pattern I see in successful CMMC preparations is that organizations treat the ineligible list as their Phase 1 work. Get those controls fully implemented first. Then assess what remains, prioritize based on difficulty and cost, and decide which five—if any—genuinely need a POA&M. Most well-prepared contractors end up with one to three POA&Ms, not five. If you're planning to use all five slots, you're probably starting the assessment too early.
Speaking on CMMC Strategy for Defense Contractors
Carl delivers keynotes and workshops on federal contractor cybersecurity, CMMC preparation, and building audit-ready programs that survive real-world assessments. His sessions are built on direct experience, not vendor pitches.
Book Carl to SpeakTime Limits and What Happens When You Miss Them
Every POAM CMMC includes a defined completion date. The maximum window is 180 days from the date of certification. You can set a shorter timeline, and in some cases you should, but you cannot exceed six months.
The clock starts when your certification is issued, not when you submit the POA&M, and not when you start remediation. If your assessment concludes on March 1 and you receive certification on March 15, your 180-day countdown starts March 15. If your POA&M says you'll complete the work in 120 days, you have until July 13. If it says 180 days, you have until September 11. After that, your certification is void.
There are no extensions. There is no "we're almost done" provision. The rule is binary: either you completed the POA&M within the window, or your certification is invalid. If a contracting officer asks for proof of CMMC compliance and your POA&M deadline has passed without closure, you're out of compliance.
What happens if you miss the deadline? You lose the certification. To regain it, you'll need to complete the remediation and undergo another assessment. Depending on the scope, that might be a full reassessment or a focused review of the controls that were under POA&M. Either way, it's additional cost, additional time, and potential loss of contract opportunities in the interim.
Proving You Closed the POA&M
Closing a POA&M isn't just flipping a switch and declaring victory. You need evidence. The C3PAO will require documentation that demonstrates the control is now fully implemented and operating as intended. This might include configuration screenshots, policy updates, training records, audit logs, or attestations from responsible personnel.
The evidence requirement is the same as it would have been during the original assessment. If the control requires a documented process, you need the process document. If it requires technical implementation, you need proof the technology is deployed and configured correctly. If it requires regular reviews, you need evidence that the review process is established and has occurred at least once.
I recommend treating the POA&M closure as a mini-assessment. Assign someone to collect evidence as if an assessor were coming back. Have an internal reviewer validate the evidence before you submit it. The worst outcome is thinking you've closed a POA&M, submitting incomplete evidence, having the C3PAO reject it, and then scrambling to fix it while the clock continues running.
Common Misconceptions That Get Contractors in Trouble
The biggest misconception is that a POA&M is a grace period. It's not. It's a commitment to deliver something you haven't delivered yet, within a hard deadline, with your certification on the line. Organizations that treat it as breathing room tend to deprioritize the work, assuming they have six months to figure it out. Then month five arrives, the remediation turns out to be more complex than anticipated, and they're scrambling.
Another misconception is that POA&Ms are renewable or stackable. They're not. You get one shot. If you fail to close a POA&M and lose certification, you can't just open another POA&M for the same control during your next assessment. You need to fix it, period.
I've also seen contractors assume that POA&Ms are confidential or invisible to contracting officers. They're not invisible. When you submit your certification for a contract, the contracting officer can see that you have open POA&Ms and can ask for the documentation. If your POA&M says you'll close a gap in 180 days but the contract performance starts in 90 days, that's a problem. The contracting officer may decide you're not actually compliant for the period they care about.
Finally, there's a persistent belief that you can use POA&Ms to defer expensive controls indefinitely by recertifying every three years and opening new POA&Ms each time. The Program Management Office is aware of this potential loophole. Assessors are trained to look for repeat deficiencies. If the same control shows up as a POA&M across multiple assessment cycles, it signals a lack of commitment to the requirement, and that's a problem during contract evaluations and potential DoD audits.
Building a Realistic POA&M That You Can Actually Execute
A good POA&M starts with a clear understanding of why the gap exists. Is it a resourcing issue? A vendor dependency? A technical complexity that requires phased deployment? The root cause shapes the remediation plan.
If the issue is budget, your POA&M needs to include procurement timelines, vendor selection, and implementation phases. If it's staffing, you need hiring or training milestones. If it's technical—say, deploying multifactor authentication across a legacy application—you need a project plan with defined phases, testing windows, and rollback procedures.
The milestones in your POA&M should be specific and measurable. "Improve access controls" is not a milestone. "Deploy MFA to all CUI user accounts by June 30" is a milestone. "Complete security awareness training for all employees by May 15" is a milestone. The more concrete your milestones, the easier it is to track progress and demonstrate completion.
Assign ownership. Every POA&M should have a named individual responsible for ensuring it gets closed. That person needs authority, budget, and accountability. I've seen POA&Ms fail because they were assigned to someone who had no ability to make decisions or allocate resources. If the remediation requires procurement, the owner needs spending authority or direct access to someone who does.
Finally, build in buffer. If you think a remediation will take 120 days, write the POA&M for 150. If you think it'll take 90, write it for 120. Things go wrong. Vendors delay shipments. Staff turnover happens. Technical implementations surface unexpected dependencies. A buffer gives you room to manage the inevitable without missing the deadline.
Keynotes on Federal Contractor Compliance and Risk Management
Carl speaks on CMMC, NIST 800-171, ITAR, and the intersection of compliance and operational security for defense contractors. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventStrategic Implications: POA&Ms as a Risk Management Tool, Not a Shortcut
When used correctly, a POA&M is a risk management decision. You're acknowledging a gap, documenting the risk it creates, and committing to a time-bound remediation. That's a defensible position if the gap is genuinely difficult to close immediately and you have a realistic plan.
When used incorrectly, a POA&M becomes a way to game the system—to claim compliance when you're not actually compliant, with the hope that nobody checks before the deadline. That approach fails in two ways. First, you're likely to miss the deadline because you underestimated the work. Second, even if you hit the deadline, you've spent six months operating with a known security deficiency that could have been exploited.
From a CISO perspective, I'd rather see an organization delay their assessment by 60 days and show up with zero POA&Ms than rush into certification with five open items and a prayer that they'll close them in time. The former demonstrates control and readiness. The latter demonstrates optimism over planning.
If you're working toward CMMC Level 2 and you're not sure where you stand, the first step is an honest gap assessment. Understand which level you actually need based on your contract requirements, then map your current state against the 110 practices. Identify the controls you're missing, categorize them as eligible or ineligible for POA&Ms, and decide whether you can realistically close the ineligible gaps before assessment.
For context on how CMMC fits into the broader world of federal contractor obligations, it's worth understanding what regulatory compliance actually means and how these frameworks interconnect. CMMC doesn't exist in isolation—it's part of a larger compliance ecosystem that includes FAR, DFARS, NIST, and in some cases ITAR. The controls overlap, and the assessment rigor is similar.
What Leadership Needs to Understand About POA&Ms
If you're a CEO, CFO, or program manager at a defense contractor, the key takeaway is this: a POA&M is not a get-out-of-jail-free card. It's a binding commitment with a hard deadline and real consequences for failure. When your CISO or compliance lead says they need more time to remediate before assessment, listen. Pushing them to certify early with the assumption that POA&Ms will cover the gaps is a gamble with your contract eligibility.
The second thing leadership needs to understand is that POA&Ms create operational risk during the window they're open. If you have a POA&M on audit log review, you're operating with reduced visibility into potential security events for up to 180 days. If you have a POA&M on configuration management, you're at higher risk of misconfigurations that could expose CUI. The controls exist for a reason. Deferring them has consequences beyond the compliance checkbox.
The third point is that POA&Ms are visible. Contracting officers can see them. Primes can see them when evaluating subs. If you're competing for a contract and your competitor has full compliance while you have three open POA&Ms, that's a differentiator. It may not disqualify you, but it's a data point in the evaluation.
Finally, understand that POA&Ms require real resources to close. Budget for it. Staff for it. Track it like any other critical project. I've seen contractors treat POA&M closure as a side project that gets done "when we have time." That approach fails. If you're going to open a POA&M, treat it as a top-tier priority with executive sponsorship and regular status reviews.
CMMC is not going away. The DoD is committed to rolling it out across the defense industrial base, and contractors who can't demonstrate compliance will lose access to contracts. POA&Ms are a tool in the compliance toolkit, but they're not a substitute for doing the work. Use them strategically, document them thoroughly, and close them on time. Anything less puts your certification—and your contracts—at risk.