POA&M What It Is, When You Need One, and How to Write One That Actually Works

What a POA&M Is and When You Need One

A Plan of Action and Milestones tracks unmet security requirements with planned remediation. CMMC Level 2 allows POA&Ms for non-critical controls if a compliant SSP exists and remediation occurs within defined timelines. Level 1 allows none. Level 3 has stricter rules.

Why Most POA&Ms Are Useless

Common failures include vague descriptions, missing owners, unrealistic dates, and no evidence of progress tracking. These entries serve as cover-your-ass documentation rather than real remediation plans. Assessors reject them during certification.

What a Real POA&M Entry Looks Like

Strong entry example:

• Control: 3.1.1 Limit system access to authorized users
• Gap: No documented access control policy or user list
• Remediation: Draft and approve access control policy; create role-based user inventory
• Owner: Jane Smith, IT Manager
• Start Date: 2025-04-01
• Target Completion: 2025-06-30
• Milestones: Policy draft 2025-04-30; user inventory complete 2025-05-31; training and implementation 2025-06-30
• Resources Needed: 40 hours internal effort
• Status: In progress (updated monthly)

What a CYA POA&M Entry Looks Like

Weak entry example:

• Control: Access control
• Gap: Needs improvement
• Plan: Fix it
• Owner: IT
• Date: TBD

Scoring Implications of Open POA&Ms

In CMMC Level 2 certification assessments, each control is worth points. Unmet controls with POA&M receive partial credit only if the POA&M is specific, realistic, and tracked. Vague or expired POA&Ms score zero for that control. Too many open items can prevent overall certification.

Write POA&Ms like project plans, not excuses. Assign real owners and track progress monthly. Anything less wastes time and risks failing the assessment.