The POA&M is one of the two most consequential documents in a CMMC assessment. Most organizations treat it as a remediation tracker. Assessors read it as a governance artifact. Here is what they actually verify, and where most POA&Ms quietly fail.
The Plan of Action and Milestones is one of the two most consequential documents in a CMMC assessment. The System Security Plan describes the security posture you say you have. The POA&M describes the gap between what you say you have and what you actually have, what you are doing about it, and on what timeline. Most organizations treat the POA&M as a remediation tracker. Assessors read it as a governance artifact. The gap between those two readings is where assessment findings live.
This piece walks through what an assessor actually reads when they open your POA&M, the structural elements they verify on each item, the closure discipline that determines whether your closed items count, and the reconciliation checks they run against the SSP before they look at your environment.
The POA&M is required by NIST SP 800-171 control 3.12.2 under Rev 2, and by CA-5 in the broader NIST 800-53 family. Its purpose is to formally document any control that is not fully implemented, the specific deficiency, the remediation plan, the resources required, the responsible parties, and the timeline. It is not a working document for your security team. It is a governance instrument that demonstrates to the assessor, the contracting officer, and DCSA that your organization has identified its gaps, owns them, and is closing them with discipline.
An assessor reading the POA&M is asking three questions. Does the organization know what it has not implemented? Does it have a credible plan to address each gap? Is that plan actually moving?
Most POA&Ms answer the first question competently, the second question vaguely, and the third question not at all.
Under DoD's NIST 800-171 scoring methodology, the 110 controls are not weighted equally. A subset carries a 5-point deduction if not implemented. Another subset carries 3 points. The remaining controls carry a 1-point deduction. CMMC Level 2 requires a minimum SPRS score of 88 out of 110 for conditional certification.
The implication for POA&M planning is structural. Not every open control can be addressed through POA&M. The higher-weighted controls, the ones carrying 5-point or 3-point deductions, generally must be fully implemented at the time of assessment. The DoD scoring guidance and the CMMC Final Rule define which controls are eligible for POA&M deferral and which are not. Organizations that assume any deficiency can be placed on POA&M and still achieve conditional certification frequently discover during pre-assessment that their highest-impact gaps are not eligible.
The second structural rule: every POA&M item must be closed within 180 days of conditional certification. After 180 days, the conditional certification is revoked. This is a hard deadline. It is not negotiable based on resource constraints, vendor delays, or competing business priorities. Organizations that build POA&Ms with vague milestones discover at day 175 that they cannot evidence closure on items they assumed would resolve themselves.
For each open POA&M item, an assessor expects to find six elements. Missing any one of them creates a finding on the POA&M itself, separate from the underlying control deficiency.
One. Specific control reference. Not "access control" or "training." The specific NIST 800-171 control family and number, mapped to the exact requirement that is not fully implemented. AC.L2-3.1.20, not "remote access controls."
Two. Clear description of the deficiency. What is specifically not implemented or partially implemented. "MFA is not enforced for break-glass administrator accounts on the legacy database server, which are excluded from the conditional access policy by current configuration" is a description. "MFA needs work" is not.
Three. A mitigation plan with specific actions. The plan should describe what will be done at a level of specificity that another practitioner could execute it without further conversation. "Decommission legacy database server and migrate to new platform with full conditional access coverage" is a plan. "Implement the control" is not.
Four. Realistic milestones with dates. If every milestone on your POA&M is "30 days from now," the assessor knows the work has not actually been planned. Milestones should reflect real dependencies, real resource availability, and real lead times. A POA&M with milestone dates that all line up suspiciously evenly is a tell that the dates were assigned to satisfy the document rather than to drive the work.
Five. Resource requirements. Who is responsible by name or role. What budget is allocated. What dependencies exist. An item that says "IT will handle" is not a resource plan. An item that says "Database Administrator owns the work, $15,000 license cost approved in Q3 budget, dependent on ServiceNow workflow capacity confirmed available" is a resource plan.
Six. Completion criteria. How closure will be evidenced. What artifact will exist when this item is closed. The assessor needs to know, before they close the item, what they will look at to verify closure. "Updated conditional access policy with audit log showing enforcement on all privileged accounts, retained in evidence repository" is a completion criterion. "MFA implemented" is not.
This is where most POA&Ms quietly fail.
An item marked closed on the POA&M without retrievable evidence is a finding. The assessor will sample-test closed items. They will ask, for an item closed six months ago, to see the evidence base that supports the closure. If the evidence is not retrievable on demand, the item is treated as still open, and the SSP-POA&M reconciliation breaks immediately.
Closure means four things, not one. The control is implemented. The implementation has been tested. The test results are documented. The implementation is sustained in operation. An item closed on the strength of "we did the work" without artifact, without test record, without ongoing operational evidence, is closed in name only.
The common failure mode looks like this. The team implements the control. They mark the item closed on the POA&M. Eighteen months later, the assessor asks for evidence of the work. The screen captures are in someone's personal OneDrive. The configuration change ticket is in a system that has since been retired. The person who did the work has left the company. The control may still be implemented, technically, but the evidence is gone, and from the assessor's perspective the item must be treated as open.
The fix is straightforward and entirely operational. Every closure produces an evidence artifact that lives in a designated evidence repository, named with the control reference and the closure date, retrievable by anyone reviewing the POA&M for the next assessment cycle. The artifact survives personnel turnover. It survives system migration. It survives the eighteen-month gap between the work being done and the assessor asking about it.
A POA&M with all original milestone dates still in the future twelve months after creation is a tell. A POA&M with all dates in the past, where every item still shows the original expected completion date that has now slipped, is a different tell. Both signal that the document is not being maintained.
The discipline is quarterly review at minimum. Every open item gets a status update. Milestones that have slipped are documented with the reason and a revised date, not silently rolled forward. Items where underlying conditions have changed get new mitigation plans. New deficiencies discovered through continuous monitoring get added to the document, not tracked separately on a side spreadsheet.
Risk acceptance is documented when items cannot be closed within the planned timeline. A control deficiency that the organization has decided, with executive approval, to accept as residual risk for a defined period must appear on the POA&M with the risk acceptance documented, the approving authority named, and the review date set. Risk acceptance is not silent. It is a formal decision the assessor will want to see signed.
Before an assessor looks at your environment, they reconcile your SSP against your POA&M. Every control marked in the SSP as not implemented or partially implemented should appear on the POA&M as an open item. Every open POA&M item should trace to a specific SSP control statement.
Misalignment in either direction is a finding. A POA&M item with no corresponding SSP entry suggests the SSP is incomplete. An SSP control marked partially implemented with no corresponding POA&M item suggests the organization has identified the gap but is not formally tracking remediation, which is itself a control failure under CA-5.
The reconciliation is mechanical and unforgiving. The assessor will run through the list. If the documents do not match, the conversation stops being about specific controls and becomes about whether the organization has the governance discipline to maintain its own compliance documents.
A well-built POA&M item, in summary form, reads:
Control: AC.L2-3.1.20 (Verify and control connections to and use of external systems)
Deficiency: External system inventory exists in spreadsheet form, last updated nine months ago. No automated discovery, no approval workflow for new external connections, no quarterly review process.
Mitigation: Deploy automated external connection discovery, implement approval workflow in ServiceNow, establish quarterly review with Security and IT leadership.
Milestones: Discovery tool selected by 2026-06-15. Procurement and deployment by 2026-08-30. Workflow operational by 2026-09-30. First quarterly review completed by 2026-12-15.
Resources: Security Engineer and IT Operations Manager jointly responsible. $22,000 tool licensing approved in Q3 budget. Dependent on ServiceNow workflow capacity, confirmed available.
Completion Criteria: Tool deployment evidence, first quarterly review minutes, updated SSP section 3.1 control statement, retained in evidence repository under control reference and closure date.
Status: Open, on schedule.
That item takes an assessor about ninety seconds to read and accept. The same gap, described as "external connections need work, IT to handle, 30 days," generates a finding before the assessor leaves the document.
We build the program. We bring the expertise. You own the result. We do the work. We don't sell you a product and walk away.
The POA&M is one of the artifacts we install when we build a CMMC program for a client. It lives in a controlled location, it is reviewed on a defined cadence, it is reconciled quarterly against the SSP, and every closure produces an evidence artifact that survives personnel changes and system migrations. This is what assessor-grade documentation discipline looks like in operation, and it is the difference between a POA&M that supports certification and a POA&M that creates findings.
If your current POA&M has open items that have been open longer than the original milestone date, or closed items where the evidence is not immediately retrievable, that is the conversation worth having.
Take our 3-minute Readiness Check and get an instant gap summary based on your environment.
Start Readiness Check →
An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.