POA&MsUnderCMMC2.0:HandlingGapsWithoutLosingContracts

A Plan of Action and Milestones - POA&M - is the document that acknowledges a control is not fully implemented and commits to a remediation schedule. Under the original DFARS 252.204-7012 regime, POA&Ms were permissive: contractors self-assessed, scored themselves against NIST 800-171, and entered a Summary Level Score that reflected any open POA&M items.

CMMC 2.0 narrows this substantially. The final rule differentiates between controls that can sit on a POA&M at the time of assessment and controls that cannot. Getting this distinction wrong costs contracts.

The conditional certification mechanic

Under CMMC 2.0, a Level 2 assessment produces one of three outcomes:

• Final Level 2: every control MET at assessment. Full three-year certification.
• Conditional Level 2: most controls MET, with a limited set of POA&M items. Conditional certification valid for 180 days; must be closed and re-verified to convert to Final.
• Not Met: too many controls unmet, or POA&M-eligible thresholds exceeded. No certification; no contract award.

The conditional path is the release valve. But it is a narrow one.

Which controls qualify for POA&M

The final rule assigns each NIST 800-171 control a point weight: 1, 3, or 5. POA&M eligibility follows from weight and criticality:

• Ineligible for POA&M: most 5-point controls and a subset of 3-point controls deemed foundational. Examples: multifactor authentication for privileged accounts (IA.L2-3.5.3), FIPS-validated cryptography (SC.L2-3.13.11), separation of duties (AC.L2-3.1.4), and specific audit record protections. These must be MET at assessment.
• Eligible for POA&M with caps: 1-point and some 3-point controls may sit on a POA&M at assessment, subject to aggregate score constraints. The conditional certification requires the final score to be at or above 88 of 110 (80%), and the total number of POA&M items must remain below the threshold defined by the assessment.

The practical implication: a contractor can walk into a Level 2 assessment with a handful of low-weight gaps and still earn conditional certification, but cannot walk in with MFA or FIPS deferred. The controls that anchor the CUI boundary are non-negotiable at assessment time.

Writing a defensible POA&M

A POA&M is not an admission of weakness; it is a commitment document. Every POA&M entry should contain:

• Control identifier: NIST 800-171 control number and the CMMC practice reference
• Observed gap: specific description of what is missing, not a paraphrase of the control text
• Root cause: why the gap exists (tool not deployed, policy drafted but not enforced, staffing gap, etc.)
• Remediation steps: discrete, measurable actions with named owners
• Resources required: budget, staff time, vendor engagement
• Milestones: interim checkpoints with dates
• Target closure date: specific date, not "within 6 months"
• Risk acceptance: statement of residual risk during the remediation window and compensating controls in place

The risk acceptance paragraph is where many POA&Ms fail. If the remediation window exceeds 30 days, the document must explain what compensating controls reduce the risk during that window. "We plan to deploy MFA" is not enough; "in the interim, administrative access is restricted to jump hosts with physical token authentication, session recording, and 24-hour activity review" is.

Closure timelines

Conditional certification is valid for 180 days. Every POA&M item must be closed - meaning MET, not merely "in progress" - before the 180-day clock expires, and the C3PAO must re-verify closure. Re-verification is typically a targeted engagement, not a full reassessment, but it is not free. Budget for a closure verification engagement at roughly 15-25% of the original assessment cost.

If closure slips beyond 180 days, the conditional certification lapses. The contractor does not automatically lose existing contract awards, but new awards requiring Level 2 are blocked until a fresh assessment produces a certified status.

POA&M hygiene during sustained operation

POA&Ms do not stop at assessment closure. Every time a control drifts out of implementation - because a tool was decommissioned, a policy was revised without implementing, a new asset was added without baselining - a POA&M should open. The SSP and POA&M are living documents; a stale SSP with no open POA&M items is almost always an inaccurate SSP.

Best practices for ongoing hygiene:

• Monthly review of control implementation status by the compliance lead
• Automatic POA&M entry when a monitoring control (vulnerability management, config management, access review) detects drift
• Quarterly POA&M review with security leadership to prioritize closures
• Annual SSP walkthrough against the full NIST 800-171 control set

Contract impact

A conditional certification meets the award threshold for most Level 2 contracts, provided the contracting officer has not added a "Final Certification Only" restriction. Read the solicitation carefully - a handful of program offices have started adding this restriction for high-sensitivity work, which eliminates the conditional path entirely.

For prime contractors managing tier-2 flow-down, the conditional vs final distinction matters differently. Primes who accept a conditionally certified sub assume supply-chain risk until closure verification. Some primes have begun requiring sub-tier certification to Final within the first 90 days of flow-down as a contractual matter.

What this means for your program

A pragmatic Level 2 program does not attempt 110-of-110 implementation before assessment. It implements the non-POA&M-eligible controls rigorously, accepts a defined set of low-weight gaps that map to a closure plan, and enters the assessment with a detailed POA&M that demonstrates thought, resources, and commitment. That posture produces a conditional certification, a predictable closure, and preserved contract eligibility.

The contractor who tries to close 110 gaps in one sprint before assessment runs out of budget, misses the assessment window, and delivers no certification at all.

POA&M governance - who owns closure

Every POA&M item should have a named owner, a sponsoring executive, and a funding source before it is logged. POA&Ms with ambiguous ownership drift; those with an owner and a funded remediation move to closure predictably. For larger programs, a governance cadence with monthly owner check-ins and quarterly executive review keeps momentum and surfaces stalled items before they threaten the 180-day window.

Common ownership patterns for POA&M items by category:

• Configuration and patch-related gaps: owned by infrastructure or endpoint engineering; sponsored by the CIO
• Access and identity gaps: owned by identity or SOC leads; sponsored by the CISO
• Policy or procedural gaps: owned by compliance or governance, risk, and compliance (GRC) function; sponsored by the CISO or General Counsel
• Training gaps: owned by HR or Security Awareness lead; sponsored by the CISO
• Third-party risk gaps: owned by procurement or vendor management; sponsored by the CFO or CISO jointly

Techvera's compliance practice builds POA&M remediation programs for DIB contractors pursuing Level 2. See our government and defense compliance framework or schedule a readiness review to map your current gaps to a defensible POA&M plan.