CMMC GLOSSARY // POA&M

What is POA&M?

POA&M stands for Plan of Action and Milestones. A POA&M is a tracked plan for remediating security controls that are not yet fully implemented, with owners and target dates.

A Plan of Action and Milestones (POA&M) lists known control gaps and the plan to close them. Under CMMC, a limited set of non-critical controls may be POA&M'd to achieve conditional certification.

Conditional Level 2 status requires closing the POA&M items within 180 days, verified by a follow-on assessment. Critical controls generally cannot be POA&M'd.

Between 15% and 30% of first-attempt assessments end with open POA&M items — one reason a readiness review before the formal assessment materially lowers risk.

FROM TERMS TO READINESS

See where you actually stand on the 110 controls.

PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.

SYS: ONLINE
FOCUSCMMC L2 / L3
BUILD0aed52
CMMC DEADLINET-d
©2026 POLICYCORTEX, INC.