Understand what you can include in a CMMC POA&M under the latest 48 CFR rule. Learn which Level 2 controls are eligible, what “88 points” really means, and how to stay compliant with DoD (now DoW- Department of War) cybersecurity requirements.
- What Is a POA&M in CMMC?
A POA&M in CMMC stands for “Plan of Actions and Milestones.” It is a formal document used as part of the Cybersecurity Maturity Model Certification process to track specific gaps between your current cybersecurity posture and CMMC requirements.
A POA&M outlines what actions need to be taken, the milestones and deadlines for each corrective step, and who is responsible for each item. Its main purpose is to help organizations plan and document remediation for controls that are not yet fully implemented. Under CMMC, the use of POA&Ms is strictly limited: at Level 1, you cannot have any open POA&M items, while at Level 2, only certain low-risk controls may be eligible for temporary inclusion in a POA&M, with a strict remediation timeline.
In short, a Plan of Actions and Milestones (POA&M) is an official corrective action plan for remediating gaps found during your CMMC assessment. Contrary to popular belief, this isn’t a “grace period” for missing controls—in fact, strict limits apply under 48 CFR and the updated Department of War framework. https://dodcio.defense.gov/cmmc/About/
- CMMC Level 1: No POA&Ms Allowed
Level 1 CMMC means zero tolerance for incomplete requirements:
Your SPRS self-assessment is a declaration of full implementation.
All 15 FAR 52.204-21 controls must be complete before you qualify—there is no partial credit, no grace period, and no pending fixes. https://www.acquisition.gov/far/52.204-21
Any missing control means disqualification until resolved and reassessed.
- CMMC Level 2: The Reality Behind the “88 Points” Rule
While you may have heard that 88 of 110 controls (or 80%) are needed for conditional Level 2 certification, not every gap is eligible for a POA&M:
Only certain “1-point” controls can be listed for remediation; higher-priority controls (those posing greater risk) are never eligible for postponement.
Many Levels 2 controls that protect CUI or prevent compromise must be 100% implemented before certification.
Summary Table: POA&M Eligibility
- Exceptions:
Some controls, like CUI encryption (SC. L2-3.13.11), may be added to a POA&M only if encryption is implemented but not yet FIPS-validated (3 points). https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf?utm_source=chatgpt.com
Conditional Certification and the 180-Day Remediation Rule
Achieving 88 of 110 points may grant conditional Level 2 certification:
You’ll have 180 days to close every POA&M item and finish remediation.
Failing to complete fixes on time leads to automatic revocation.
This window is strictly enforced via a “POA&M closeout assessment” by assessors or the organization seeking compliance.
- Best Practices for Contractors
With POA&Ms strictly limited, effective organizations focus on preparation:
Aim for full implementation of all controls (110/110) from the start.
Treat POA&M only as backup—not as your compliance strategy.
Document remediation for every POA&M item for verification.
Proactive compliance positions your business for contracts and reduces risk of disruption or costly delays.
- Key Takeaways
POA&Ms are structured, time-bound plans—not loopholes.
Only certain controls qualify; most cannot be deferred.
Conditional certification is a temporary status—the 180-day timer starts immediately.
The best path to CMMC compliance is thorough preparation, full implementation, and continuous improvement.
By mastering POA&M rules under 48 CFR, contractors protect sensitive data, stay eligible for DoW contracts, and build a resilient cybersecurity posture for long-term business success. Don’t wait any longer for time to pass, get your certifications through experts like us. More questions and concerns? Contact us:
