A POA&M — Plan of Action and Milestones — is how you track the controls you haven't fully met yet. Templates are easy to find, and a spreadsheet works fine. But with a POA&M, the template is the easy part. The rules around which controls you can defer, and for how long, are what trip contractors up. Here's both.
What a POA&M template needs to contain
For every control that isn't fully met, your POA&M should capture:
| Field | What it records |
|---|---|
| Control ID & weakness | Which of the 110 controls is not met, and what the specific gap is |
| Planned remediation | What you will do to close it |
| Responsible party | Who owns getting it done |
| Resources required | Budget, tools, or people needed |
| Milestones & completion date | The steps and the target close date (inside the 180-day window) |
| Status | Open / in progress / closed |
The part the template won't tell you: not every control is eligible
This is where a blank template is dangerous — it lets you put anything on the POA&M, but CMMC doesn't. Under a conditional Level 2 status, only a limited set of not-yet-met controls can ride on a POA&M, and:
- You must hit a minimum score to qualify for conditional status at all (run your SPRS score to see where you stand).
- The highest-weight controls generally cannot be deferred, with narrow exceptions such as 3.13.11 (FIPS-validated cryptography).
- Some controls can't be POA&M'd at all — notably having an SSP (3.12.4).
The 180-day clock
A POA&M is not a permanent exception. CMMC requires POA&M items to be closed within 180 days of the assessment. Miss the window and your conditional status can lapse. Treat the 180 days as a hard countdown, and sequence your remediation so the highest-impact, fastest wins land first — see the 5-point controls to fix first.
Build an accurate POA&M — score yourself first
Your POA&M is only as good as the gap list behind it. Run all 110 controls free, see exactly what's not met and what it's worth, then document it. No signup.
Calculate your SPRS score free →From gap list to documented plan
The clean workflow: score all 110 to get an accurate, eligible gap list → draft your SSP for what's implemented → put the rest on a POA&M with real milestones and dates → work the 180-day clock. A template gives you the grid; the tools and the control library give you the part that's actually hard.
POA&M templates — frequently asked
What does a POA&M template need?
For each not-yet-met control: control ID + weakness, planned remediation, responsible party, resources, milestones, completion date, and status.
Which controls can go on a POA&M?
Only a limited set under conditional Level 2 — you must meet a minimum score, the highest-weight controls generally can't be deferred (narrow exceptions like 3.13.11), and some (e.g. the SSP, 3.12.4) can't be POA&M'd at all. Confirm against official guidance.
How long to close a POA&M?
180 days from the assessment. It's a time-boxed plan, not a permanent exception; open items past the window can cost you your conditional status.
Is there a free template?
Yes — a spreadsheet works. But the template is the easy part; knowing which controls are eligible and getting your score high enough to qualify is the real work. Score yourself first.