What Is a POA&M? Plan of Action & Milestones for CMMC (2026)

Nobody implements all 110 requirements on day one, and that's expected. The document that handles the gap is the Plan of Action & Milestones (POA&M). But CMMC put real limits on what you're allowed to put off — so it's worth knowing the rules before you lean on it.

What a POA&M is

A POA&M is the companion to your System Security Plan. Where the SSP says where you stand on each requirement, the POA&M says how and when you'll close the gaps. For every requirement you haven't fully met, it records the deficiency, the planned fix, who owns it, and the milestone dates. Assessors expect to see both documents.

The CMMC rules — this is the strict part

Under the CMMC program (32 CFR Part 170), a POA&M is not a free pass to defer anything you like. The key limits:

Rule	What it means
Minimum score	You must already meet at least 88 of 110 (80%) to qualify for a conditional status with open POA&M items.
1-point only	Only requirements worth 1 point in the DoD methodology may go on a POA&M. The 3- and 5-point controls generally must be fully implemented.
The exception	A narrow exception lets the higher-weight SC.L2-3.13.11 (FIPS-validated cryptography) sit on a POA&M.
180-day closeout	Open POA&M items must be closed and verified within 180 days to reach final status.

The practical takeaway: you can't paper over a heavy control with a plan. The 5-pointers — MFA, monitored remote access, wireless/mobile — have to be genuinely done. The POA&M is for the small stuff you'll finish within six months. (Confirm the exact eligible-requirement list against current regulation, as the program evolves.)

What goes in a POA&M

For each open requirement, a usable POA&M entry captures:

The requirement (e.g., 3.3.1) and the specific gap.
The planned remediation — what you'll actually do.
The responsible owner.
Milestone dates — realistic, and inside the 180-day window.
Status — open / in progress / closed, updated as you go.

How it works with your SSP and score

Your SSP documents every requirement; the POA&M tracks the ones marked "planned." A control you've only planned doesn't give you its points back yet — only full implementation does — but documenting the plan is what lets you legitimately report a conditional score and finish an assessment. Close the items, update the SSP, and the points follow.

See which gaps you can defer — and which you can't

The calculator shows each requirement's point weight, so you know instantly what's POA&M-eligible (1-point) and what has to be done now.

Calculate your SPRS score →

Start here

Score yourself first so you know your number and which gaps are 1-point (deferrable) versus heavy (do now). Run the calculator, document your SSP, and build the POA&M for what's left. Both tools are free.