"Develop, document, and periodically update plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.” - NIST SP 800-171 Rev. 2, 3.12.3
Let us start by saying that the time to fix gaps is before your formal assessment begins. Before you sit for your CMMC Level 2 assessment, your POA&M should not include unremediated items.
It is also critical to understand when approaching an assessment that there are some controls that cannot be POA&Med.
According to the Department of Defense, certain foundational security controls are non-POA&M-eligible. These must be fully implemented and validated prior to certification.
These include (but are not limited to):
If any of these controls are found to be unimplemented during your assessment, a POA&M cannot be used to defer remediation. These are considered critical requirements for establishing a baseline of trust in your environment.
If a deficiency is discovered during a C3PAO assessment, and it falls under one of the controls not eligible for deferral, your organization cannot be awarded Level 2 certification until it’s resolved.
Few documents tell the story of an organization’s cybersecurity journey like a Plan of Action and Milestones (POA&M).
Control 3.12.3 requires that your organization develop and maintain plans to track deficiencies, assign ownership, and follow them through to completion. In other words, it’s your roadmap to improvement.
When assessing this control, the C3PAO wants to see that your POA&M:
The POA&M requirement existed long before CMMC, as part of NIST SP 800-171. But over time, the DoD found that many organizations created POA&Ms—and then never addressed them.
It became common to see systems with long-standing open deficiencies that were technically “documented” but never fixed. This gap between paperwork and performance is one of the reasons the CMMC validation program was created: CUI data was leaking to our enemies, access was gained to sensitive systems where sabotage was occurring with dire, expensive and deadly results.
CMMC’s third-party assessments hold organizations accountable for not just identifying weaknesses but actually correcting them. The move from self-attestation to validation was designed to ensure that the security promises made on paper matched the reality in practice.
So while having a POA&M is part of compliance, using it effectively—and closing the gaps it tracks—is part of maturity.
As a leader, your job is to ensure the POA&M reflects real progress, not just documentation.
That means:
A C3PAO can tell the difference between a POA&M that’s part of an active governance process and one that was written for show. The first reflects leadership; the second reflects a lack of engagement.
If you’re preparing for a CMMC Level 2 assessment, your POA&M should already be clean, meaning all required controls are implemented, evidence is gathered, and any residual issues are documented with closure plans already executed.
Submitting to assessment with unresolved critical items can result in a finding that blocks certification entirely.
Simply put, the POA&M is not a safety net; it’s your accountability report.
The best leaders use the POA&M as a management tool, not a compliance checkbox. Some organizations find that GRC tools help them keep organized internally. Ask us for some suggestions.
It shows your C3PAO that you understand your weaknesses, that you track them methodically, and that you’re serious about resolving them. Your clients and any primes that you work with will want to know how many POAMs you have left to kill, to see if you may be too risky to work with.
But when it’s left open or ignored, it becomes proof of the opposite.
The difference between a compliant organization and a confident one isn’t the number of findings—it’s how quickly, and how completely, they’re resolved.