Understanding POA&Ms and Scoring for CMMC Level 2

In our continuing series on challenges faced by contractors in the Defense Industrial Base, we will address the topic of the Plan of Action and Milestone (POA&M); see our previous article on Scoping and CUI. The Department of Defense’s (DoD) October 2024 CMMC Final Rule (32 CFR Part 170) introduced rules for how contractors can manage security gaps. One key concept is the POA&M—a formal, time-bound plan to fix known deficiencies. But under CMMC, POA&Ms can only be used in very limited cases. This article explains what POA&Ms are, how level 2 scoring works, which controls can be deferred (and which cannot), and how Conditional Certification fits into the process.

What Is a POA&M?

A POA&M is like a project plan for closing security gaps. It identifies the missing control, who is responsible, what actions are needed, and when it will be completed. For example, if an organization doesn’t yet have encrypted backups, their POA&M would specify who will implement encryption, how, and by what date.

Under CMMC Level 2, POA&Ms are not allowed at all for Level 1. For Level 2, they’re only allowed in narrow circumstances. A company may earn Conditional Level 2 Certification if they meet certain criteria and use POA&Ms for a limited number of low-impact deficiencies. But a POA&M is not a free pass—one must fix each item within 180 days or risk losing the certification.

CMMC Level 2 Scoring in Plain Terms

CMMC Level 2 uses a point-based system to evaluate compliance with the 110 controls in NIST SP 800-171. Each control is worth 1, 3, or 5 points based on importance:

• 5 points: Critical controls (e.g., multi-factor authentication)
• 3 points: Moderate controls
• 1 point: Low-impact controls

An organization begins with 110 points and loses points for each unmet requirement. To pass, one must score at least 80%, or 88 points. The good news? If all the important controls are met and only a few lower-value ones are missing, an organization may qualify for Conditional Certification—if the gaps are eligible for a POA&M.

Which Controls Can Go on a POA&M?

POA&Ms are allowed for certain 1-point controls, and even then, not all of them.

Per the final rule:

• No 3-point or 5-point controls can go on a POA&M, with the exception noted below.
• Only some 1-point controls are eligible.
• Exception: If an encryption is being used but it’s not yet FIPS-validated, that 5-point control can count as 3 points and go on a POA&M.

Examples of 1-point controls NOT allowed on a POA&M:

• AC.L2-3.1.20 (External Connections)
• AC.L2-3.1.22 (Control Public Information)
• CA.L2-3.12.4 (System Security Plan)
• PE.L2-3.10.3 (Escort Visitors)
• PE.L2-3.10.4 (Physical Access Logs)
• PE.L2-3.10.5 (Manage Physical Access)

If any of those are not met, a Conditional Certification cannot be received. They must be fully implemented at the time of the assessment.

What Happens After a Conditional Certification?

If an organization qualifies for Conditional Level 2 status, they will have 180 days from the date of certification to close every item in their POA&M. After fixing each gap, they must complete a closeout assessment for those specific controls.

Think of it as a temporary “provisional pass.” One remains eligible for contracts, but only if one meets the deadline. Miss the 180-day window, and the Conditional Certification expires—certified status is lost, and the process must be restarted.

How to Manage a POA&M Effectively

A strong POA&M is specific and actionable. Each item should include:

• The missing control
• Tasks to be completed
• Responsible personnel
• Target completion dates

Good POA&M Example:

“By June 30, IT will install the latest CUI encryption patch. Responsible: Security Officer. Evidence: Installation logs.”

Bad POA&M Example:

“Improve overall security this year.”

Vague entries, missing deadlines, or unrealistic goals can all backfire. Every item must be resolved within 180 days, so keep plans realistic and short-term. Use a spreadsheet or compliance tool to track tasks and deadlines. Be specific—write clear actions and identify responsible parties. Don’t treat POA&Ms as shortcuts—they are commitments with firm timelines.

Key Takeaways

POA&Ms are limited tools; only available at Level 2, only for certain low-impact controls, and a company must earn at least 80% on their initial assessment to qualify for certification. There are 180 days to fix allowed deficiencies—after that, the certification expires if issues aren’t resolved. Use POA&Ms wisely: keep them clear, specific, and focused on near-term fixes. By treating POA&Ms seriously (as action plans, not excuses) and aiming for a strong initial score, a business can navigate CMMC Level 2 successfully.

To learn more about CMMC, be sure to visit our CMMC page, and don’t hesitate to contact Elaine Nissley or Mike Murray regarding our services.

About the Author

Related Services