What is POA&M?
POA&M stands for Plan of Action and Milestones. A POA&M is a tracked plan for remediating security controls that are not yet fully implemented, with owners and target dates.
A Plan of Action and Milestones (POA&M) lists known control gaps and the plan to close them. Under CMMC, a limited set of non-critical controls may be POA&M'd to achieve conditional certification.
Conditional Level 2 status requires closing the POA&M items within 180 days, verified by a follow-on assessment. Critical controls generally cannot be POA&M'd.
Between 15% and 30% of first-attempt assessments end with open POA&M items — one reason a readiness review before the formal assessment materially lowers risk.
- SSPAn SSP is the document describing how an organization implements each required security control across its in-scope environment.
- C3PAOA C3PAO is an organization authorized by the Cyber AB to conduct official CMMC Level 2 certification assessments.
- SPRSSPRS is the DoD system where contractors post their NIST 800-171 self-assessment score and, under CMMC, their certification status and affirmations.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
