There is no doubt that POA&Ms can be confusing. What they are, when you create an action item, how you manage your POA&Ms, how they relate to other aspects of your cyber security program, and of course, how to specifically manage POA&Ms for CMMC compliance are all leaving members of the DIB scratching their heads. This brief gives high level answers to all those questions and offers practical guidance on how CMMC gap remediation and your POA&M program work together on the path to certification.
POA&M stands for Plan of Action and Milestones. Effectively, a single POA&M represents the steps an organization needed to take to close the gap on a particular cybersecurity control that does not currently meet a specific requirement or objective related to a security framework, in this case we will be discussing CMMC specifically.
POA&Ms in general should be created every time a vulnerability in your current cybersecurity program is identified. For example, you identify during a self-assessment that patching is not taking place, it should be recorded along with plans for remediation, when the remediation will take place, who is responsible and how to verify that the work is done.
Accordingly, POA&Ms should be viewed as a living, breathing document with realistic, dynamic changes taking place on a regular basis rather than being viewed as a static checklist of things to do once and be done. Our advisory team has noticed that a number of clients initially view POA&Ms as the latter but your networks and work habits are all dynamic so your cybersecurity vulnerabilities will change along with those infrastructure and organizational changes. POA&Ms should also be created whenever an organization plans updates to their infrastructure. For example, if you are updating your email system, you should create related POA&Ms for any vulnerabilities that are discovered during your risk assessment of the update for the new technological investment, but also for all the related policies and procedures that will be effected. This same approach applies across compliance frameworks, including NIST 800-171, where contractors operating under DFARS requirements are expected to maintain comparable POA&M documentation tracking any unmet controls.
A CMMC POA&M is written documentation describing the proactive steps an organization plans to take to close the gap between current cybersecurity practices relative to a specific CMMC control and the level of security needed to meet the control requirements. Effective cmmc POA&M management is, at its core, a gap remediation exercise; one that requires systematic tracking, assigned ownership, and realistic timelines to close before your C3PAO assessment.
Effectively, you need to document your plan regarding the actions you'll take to address any security vulnerabilities identified during an analysis of your readiness for a CMMC assessment. Overall, your POA&Ms for all of your CMMC requirements should detail:
In discussing POA&Ms with the Coalfire Federal CMMC advisory team, several interesting observations were made regarding what they are seeing:
“One client has a great practice where they sort of make a game out of it – they keep asking ‘why’ until they get to the root of the problem and when they get to the why, that is what goes into the POA&M.”
“Clients that manage POA&Ms well know that they need to do a risk assessment and include change management strategies as part of their POA&Ms rather than just writing down the problem.”
“POA&Ms can’t be a stand-alone thing – they should be incorporated into exercises that involve regular reviews.”
“Treating POA&Ms as a place that incidents and problems go to die is not only ineffective but dangerous.”
All of these are excellent points that have shaped the way our team approaches the subject of POA&Ms with our clients. We are constantly informing our practices with lessons learned from each engagement.
At the start of your gap analysis against CMMC requirements, you should identify a process and tools for keeping track of any unmet requirements and think strategically about how to close the gaps in a timely fashion. As we have noted in previous posts, it is a great idea to designate an individual in your organization that will become the point person for CMMC preparations. This person should know something about cybersecurity, a bit about project management and have enough authority in the organization to ensure that when a requirement is assigned to an individual in the organization that it is taken seriously. We also highly recommend that your designated CMMC point person be a full-time employee of your organization and that they go through the CMMC CCP training if at all possible. It just sets the tone for understanding what assessors will be looking for during the certification process.
Another key component is a tool or set of tools that allows your organization to manage and track preparations for a CMMC assessment. There are a number of excellent governance risk and compliance (GRC) tools available that can help your organization manage all the artifacts required for demonstrating compliance with controls as well as help you document which artifacts apply to a control and how, and otherwise support inclusion of preparatory notes. Having built in trackers for managing POA&Ms is also a great feature to look for when selecting a GRC tool.
Many organizations also benefit from starting with a standardized cmmc poa&m template that captures the required fields:
Effectively, during your gap analysis, you need to identify your FCI and CUI boundaries and then consider whether and how each control requirement is met. For any unmet controls, the following steps should be taken.
Conduct a thorough CMMC gap analysis to pinpoint areas where your organization falls short of CMMC requirements.
For unmet controls, ask why until you get to actionable items. Those actionable items should be your POA&Ms.
Craft specific actions to address each unmet control. Assign an appropriate individual within your organization to manage the POA&M.
Set realistic deadlines for completing each mitigation strategy within your POA&M.
Continuously track progress towards completing your POA&M actions. Update the document as needed to reflect completed tasks.
Building a CMMC POA&M is one thing. Knowing which gaps can remain open at assessment versus which controls must be fully met is another, and getting that wrong has direct consequences for your certification timeline. Coalfire Federal's CMMC advisory team has guided contractors through gap remediation and C3PAO assessment preparation since the program's inception. As one of the first authorized C3PAO, we understand exactly how assessors evaluate POA&M items and what it takes to walk into an assessment ready. Talk to a CMMC expert to discuss where your organization stands.
The proposed CMMC 2.0 rule introduces changes to POA&Ms. One difference between CMMC 1.0 and CMMC 2.0 is that selected security requirements are eligible for having a Plan of Action and Milestones (POA&M) that must be closed within 180 days of assessment. While this was expected to be part of the proposed ruling, we got specific guidance in section 170.21 related to what controls are eligible for POA&M during an assessment (and implicitly, a clear understanding of what controls are not eligible for POA&M):
“An OSA is only permitted to have a POA&M for CMMC Level 2 if all the following conditions are met:
The rules around eligible POA&M items have direct implications for your CMMC gap remediation strategy. Understanding which controls must be fully met before assessment day; and which can be carried into a 180-day closure window, is critical planning information for any dib contractor pursuing CMMC Level 2 certification. As an authorized C3PAO, Coalfire Federal's team of experienced CMMC professionals has the expertise to help you build a defensible POA&M, identify which remediation actions are time-sensitive, and achieve CMMC certification with confidence. For a direct conversation about where your organization stands, talk to one of our CMMC experts today.
A CMMC POA&M documents the specific steps a contractor will take to close gaps between its current cybersecurity practices and the requirements in the CMMC framework. It identifies vulnerabilities, assigns responsibility for remediation, sets completion milestones, and tracks the organization’s readiness for certification.
A Plan of Action and Milestones (POA&M) is a document that outlines how an organization plans to fix identified security gaps. It includes who is responsible, what actions will be taken, and deadlines for completing those actions. POA&Ms should be updated regularly to reflect progress and changes in the environment.
Organizations should treat POA&Ms as ongoing management tools rather than one-time checklists. Each POA&M should be updated as systems, policies, and infrastructure evolve. Regular reviews, risk assessments, and change management practices are essential to ensure POA&Ms remain accurate and effective.
The steps include identifying gaps during a CMMC gap analysis, finding the root cause of each unmet control, developing mitigation strategies, assigning ownership, setting realistic timelines, and monitoring progress. Using a governance, risk, and compliance (GRC) tool can simplify tracking and documentation.
Under the proposed CMMC 2.0 rule, only certain low-value controls may be placed on a POA&M, and those items must be closed within 180 days of the assessment. Controls with high point values or that involve sensitive Controlled Unclassified Information (CUI) cannot be included on a POA&M.
NIST 800-171 POA&M documentation is a direct precursor to CMMC compliance for many defense contractors. Under DFARS 252.204-7012, contractors are already required to implement NIST SP 800-171 controls and track any unmet requirements in a POA&M. When CMMC certification applies to a contract, that same documentation becomes part of your readiness record for a formal C3PAO Assessment. Contractors who have maintained a current, accurate NIST 800-171 POA&M are generally better positioned for CMMC because the documentation framework is substantially the same. If your NIST 800-171 POA&M has gaps or has not been kept current, addressing that before beginning your CMMC readiness process is a recommended first step.
