As of the end of last year, DoD contractors have to start paying attention to CMMC, as the Final Rule for CMMC 2.0 is now in force. While the timelines for full CMMC 2.0 compliance have just started, the full compliance process will inevitably take time. There will be mistakes, gaps, and missed items along the way.
The accepted way to handle these gaps is through the use of POA&Ms. What are POA&Ms, how do you use them, and what do you need to know for 2025 and beyond?
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontSince last year, DoD contractors must follow CMMC 2.0 rules. POA&Ms, or Plans of Action and Milestones, help manage compliance gaps. These documents identify security gaps, assign responsibilities, and set timelines. Under CMMC 2.0, POA&Ms can be used in limited situations, primarily for 1-point controls. Contractors need to close POA&Ms within 180 days. While they offer flexibility in audits, relying too heavily on them is risky. Tools like the Ignyte Assurance Platform can aid in tracking compliance.
What Are POA&Ms?
Let’s start simple: What are POA&Ms in the first place?
A POA&M is a Plan of Action and Milestones document. This is a document that identifies a specific gap between your current fulfillment of a given security control and the position you need to reach to satisfy the requirement and consider it met.
The POA&M includes critical information. It is a document that acknowledges the failure to meet the given security requirement, identifies a plan to rectify the situation, outlines a timeline, identifies the individual responsible for overseeing the process, and records dates and other information.
POA&Ms were previously not allowed under CMMC for the Department of Defense. However, with CMMC 2.0, DoD contractors are allowed – in certain circumstances – to use a POA&M if they don’t quite meet the security requirements.
This essentially works as a stopgap and a temporary extension in deadlines for DoD contractors so they don’t lose (or fail to win) their contracts with the DoD.
What Are the Requirements to Use a POA&M?
We say “in certain circumstances” for a reason here.
CMMC 2.0 contains 110 security controls, broadly based on NIST SP 800-171 revision 2. These controls fit into a points system.
(Note the revision 2 part. Revision 3 exists, but CMMC currently uses revision 2. Watch this space for more, if and when this changes.)
The points system assigns each security control a point value, where the value depends on how critical the control is. Controls can be worth 1 point (for the least critical), 3 points (for the moderately critical), or 5 points (for the essential.)
For example:
- Limiting unsuccessful login attempts is a 1-point control.
- Using the principle of least privilege is a 3-point control.
- Using encryption to protect remote access is a 5-point control.
All of this is part of the DoD Contractor Self-Assessment Methodology.
It’s worth mentioning that the sum total of the points you earn is 110. This is because the point value is a rating of importance and severity; a control can either be implemented or not, for 0 or 1 point in the final total.
To use a POA&M, you must meet specific requirements.
You must be seeking level 2 or level 3 certification. POA&Ms are not allowed for level 1 certification because it’s already as pared-down as is safe; if you can’t even meet the lowest requirements, you likely have no business trying to be a DoD contractor in the first place.
You must meet at least 88 out of 110 controls already. You can’t just assign a POA&M to every control, say, “We’re working on it,” and win a DoD contract. You have to have the majority of the work already done before you can consider using a POA&M for the rest.
You must have all 3- and 5-point controls implemented. POA&Ms are only eligible for 1-point controls. This is because, while 1-point controls can be minor and a breach in the interim is unlikely to be devastating, the 3- and 5-point controls are much more likely to have severe consequences.
Note: Yes, there are a couple of specific controls rated at 3 or even 5 points that can have a POA&M assigned. This is specific to CMMC Level 2 and only if those controls are at least partially implemented already. It’s better to assume otherwise than to bank on an exception, though.
Your C3PAO must sign off on your use of POA&Ms. You can’t simply decide to use POA&Ms to pass muster and win a contract; you have to get it past your C3PAO and have them sign off on it. Even then, the DoD can decide not to approve your use of POA&Ms if they don’t want to. The more POA&Ms you’re trying to use, and the more issues you’ve had along the way, the more likely they are to tell you to get lost and come back once you’ve fixed it.
Essentially, POA&Ms are meant to be a “we need a few more days/weeks to wrap this up” stopgap rather than a to-do list of unfulfilled requirements.
Critically, POA&Ms must be closed out within 180 days at the most. After that point, the POA&M expires, and you will lose your contingent contract. It’s also possible that there can be penalties, depending on any contracts you currently have.
What Goes Into a POA&M?
A POA&M is not simply a list of controls and an IOU for fulfillment. They are specific documents with tangible details that are critical to the fulfillment of the security control.
A POA&M document is essentially a spreadsheet with seven pieces of data for each control you want to use a POA&M on.
- The name of the security control you intend to use a POA&M on.
- Identification of the weakness or gap that is preventing your current compliance with that control (for example, not having an updated SSP for that control.)
- A ranking of how critical the control is in the scope of your POA&M.
- Identification of the specific individual in your organization in charge of implementation of the control.
- A list of steps you’re planning to take to implement the control, with completion deadlines and any relevant information.
- An estimation of any resources that are required or need to be allocated to complete implementation of the control.
- Your final deadline for completing the control.
POA&Ms are also listed as either ongoing or complete, based on your implementation. Once your full POA&M document is complete, you can submit for a reassessment with your C3PAO and validate the complete implementation of your controls.
Creating the POA&M
When it comes to actually creating the POA&M, you’ll likely either be working with your C3PAO, or with someone who knows their way around CMMC’s requirements and NIST SP 800-171, and can tell you when you aren’t quite meeting the brief.
Each piece of information for each individual POA&M needs to be specific and well-formatted.
Weakness identification is the key. You have your list of security controls, and as part of your overall SSP, you’ll know if there are any that don’t apply to you. Everything else needs to be tracked and monitored.
This is where a gap analysis comes in. You’ll need to identify the position you currently hold, the position you need to achieve to have a fully implemented security control, and the gap between them.
Related to that is your steps to take. This is the actual plan of action and list of milestones that make up the POA&M. Some controls may only have 1-3 steps for implementation; others might have a dozen or more. The lengthier and more complex the process, the more detail you’ll need to go into, with individual milestones along the way.
Generally speaking, a good planning framework helps a lot here. The simplest is just SMART; each goal and each step should be specific, measurable, achievable, relevant, and time-bound. If any given step doesn’t meet those, break it down into elements until it is.
This is also where you can identify how critical the implementation is. You may not have this assessment until your C3PAO tells you what you’ve missed, but this is essentially a priority order for which POA&Ms you’ll work on in which order. Prioritize the most important ones, of course.
Don’t forget to identify the stakeholder responsible for each POA&M. In general terms, your director of IT or cybersecurity will have overall responsibility. However, that individual might not have full authority across different departments or might not be able to develop and implement employee training or company policy that would be necessary as part of compliance.
You don’t need to list everyone who will be involved; just the person highest up the chain to oversee it all and take responsibility if the POA&M is not met.
Resource allocation is often variable and may not be necessary for some controls, but it may be necessary for others. Resources include finances, employee time, more material resources, and procurement. Not even control needs these resources to be implemented, but others do.
Your C3PAO and the DoD don’t really care about this; it’s more of a line item so that you know what you need to procure or assign to your teams to achieve compliance with the control.
Should You Use POA&Ms?
After reading all of this, one question you may have is whether or not you should use POA&Ms at all.
Our advice: don’t bank on them, but use them if you need to.
A POA&M is meant to be a middle ground between passing or failing an audit for certification. The DoD, and C3PAOs performing the assessments, recognize that not all security controls are equally critical. A mistake or gap in coverage for an essential control is a lot worse than a gap or mistake in a minor control. Why should they have equal penalties?
In essence, POA&Ms are a way to make the audit not all-or-nothing.
When you’re implementing the security controls across NIST SP 800-171 revision 2, put the greatest effort into the most stringent requirements first. Once you’re certain you have all of the 5-point controls implemented, then make sure you’re doing the 3-point controls. By the time those are done, many of the 1-point controls will be done as well. At that point, it’s just a matter of wrapping up the list.
If you go to undertake your audit and your C3PAO identifies gaps, it’s fine to use a POA&M to rectify the situation. Ideally, though the POA&M has a 180-day window, you should be poised to have the issue fixed much sooner than that.
If you go into your audit knowing that you haven’t met all the requirements and intend to use a POA&M, you may be disappointed. That doesn’t leave as much room for actual mistakes or unintended gaps, and you are more likely to fall beneath the 80% threshold and be ineligible to use POA&Ms in the first place.
The more you bank on them to cover gaps and mistakes, the more you risk even worse results. So, don’t be afraid to use POA&Ms if you need to, but don’t treat them like a shortcut to a faster contract.
Making POA&Ms a Smoother Process
While everything we’ve listed about POA&Ms can be managed through nothing more than a spreadsheet document, there are a wide range of programs and apps that can help out as well. Some of them have templated documents to help fill out POA&Ms. Some of them have milestones and goal tracking. Some of the most advanced even have preconfigured processes to achieve compliance for controls that are commonly subject to POA&Ms.
We’ll throw our hat into the ring as one option. The Ignyte Assurance Platform is an app we developed in conjunction with the Air Force as a way to help centralize and track processes, documentation, and compliance artifacts across a wide range of different frameworks. CMMC is one such framework, and our app helps make sure you have a centralized, collaborative, and secure way to work on your POA&Ms.
We’re also a C3PAO for FedRAMP, though not yet for CMMC 2.0. We know our way around the NIST SP 800-171 requirements, though, and we’re more than happy to answer questions if you have them. Drop us a line, book a demo of the Ignyte Assurance Platform, or explore the other resources we have throughout this site. We’re here, standing by, and ready to help, whatever help it is that you may potentially need.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.