You build POA&Ms to correct deficiencies you find.
What it actually means
For the gaps your assessment finds, you develop and implement Plans of Action & Milestones (POA&Ms) to fix them. This is the control behind the POA&M document. (See our POA&M guide for the CMMC rules on what's eligible.)
Pass or fail — an assessor needs a "yes" to each
- POA&Ms exist for known deficiencies.
- They're implemented and tracked, not just written.
- Milestones have realistic dates.
What to have ready
- POA&M document with owners + dates
- Evidence of progress against milestones
Where teams trip up
- No POA&M for known gaps
- POA&Ms written but never worked
- Unrealistic or undated milestones
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →