POA&Ms Aren’t a Weakness — They’re Proof You’re Doing the Work

How DoD Contractors Can Turn a Plan of Action & Milestones into a CMMC Compliance Asset

If you’ve spent any time in the CMMC compliance world, you’ve probably heard people talk about POA&Ms — Plans of Action & Milestones — like they’re something to be ashamed of. A sign of weakness. An admission that your security program isn’t where it should be. But in reality, POA&M CMMC compliance is one of the strongest signals you can send to an assessor.

That’s not just wrong. It’s backwards.

A well-built POA&M is one of the most powerful signals you can send to a CMMC assessor. It shows that your organization understands its gaps, owns them transparently, and has a credible, active plan to close them. In the world of CMMC Level 2 compliance, that kind of maturity is exactly what assessors are looking for.

Here’s what defense contractors actually need to know about POA&Ms — and how to make yours work for you instead of against you.

What Is a POA&M, and Why Does CMMC Require One?

A Plan of Action & Milestones is a formal document that identifies cybersecurity gaps — controls that aren’t yet fully implemented — and lays out exactly how, by whom, and by when your team plans to resolve those gaps. It’s been a fixture of federal cybersecurity frameworks under FISMA for years, and it’s now a defined requirement under the CMMC 2.0 Final Rule (32 CFR Part 170), which took effect December 16, 2024.

Key Point: If your organization still has a small number of lower-risk items left to address, a POA&M is how you document them clearly and show how you plan to fix them . In other words, it helps you be transparent about what is still in progress — proof that there is a real plan to complete the work.

What POA&Ms cannot do: cover critical controls. High-value requirements like multi-factor authentication, incident response capabilities, or audit logging cannot be deferred. If those aren’t in place, no POA&M will get you across the finish line. But for lower-risk, 1-point controls that you’re actively working through? A strong POA&M is exactly the right tool.

Check out our article on Supplier Performance Risk System (SPRS) scoring. Your score goes into SPRS alongside your System Security Plan (SSP), Plan of Action & Milestones (POA&M), assessment date –>SPRS Score for Defense Contractors: What It Is & Why It Matters

The Stigma Is a Myth — But the Risk Is Real

Here’s the thing about POA&Ms: the problem was never the document. The problem was how organizations were (mis)using it.

For years, some contractors treated POA&Ms as a compliance parking lot — a place to file gaps away with vague language and no real intention of resolving them. Entries like “improve security posture” or “update legacy systems” weren’t plans. They were placeholders dressed up in compliance clothing.

Vague POA&M entries — like “will implement encryption by Q3” without specific action steps — are red flags for assessors. Specificity demonstrates that you understand the gap and have a real plan, not just an intention.

That era is over. Under CMMC 2.0 and the scrutiny of a Certified Third-Party Assessment Organization (C3PAO), a thin or sloppy POA&M won’t just fail to help you — it will actively hurt you. Assessors know how to spot the difference between a structured remediation record, and a pinky promise written in a spreadsheet.

What does a C3PAO do? Simply put, their job is to verify whether your company’s cybersecurity practices meet the required CMMC level

The flip side is equally important: a missing POA&M is worse than one with open items. If you have unmet controls and no POA&M, assessors draw one of two conclusions — you don’t know you have gaps, or you’re not being transparent about them. Neither is a good look.

What a Strong POA&M CMMC Compliance Actually Looks Like

A high-quality POA&M goes far beyond “here’s the problem.” For every open item, assessors expect to see:

• Control reference: The specific CMMC control reference. Check out the References & Further Reading section at the end of this article more insight into this.
• Gap description: A clear description of the gap and its root cause — not just “not implemented”
• Single owner: A named, accountable owner — one person, not a team or a role.
• SMART milestones: SMART milestones: Specific, Measurable, Achievable, Relevant, and Time-bound. “Implement SIEM” is vague. “Enable Azure Sentinel ingestion for 90 days of Windows event logs by [specific date]” is a milestone.
• Active evidence: Evidence that work is already in motion. Examples include delivery receipts, vendor quotes, screenshots of staging environments, training enrollment records, to name a few.
• Risk classification: A risk classification for each item (High/Moderate/Low) — most eligible POA&M items should be Moderate or Low.
• Status cadence: Regular status updates. A stale POA&M with no progress entries is a red flag. Assessors want to see a living document, not a PDF that hasn’t been touched since day one.

Pro tip: Include proof that the work has been approved and funded, such as a screenshot showing budget approval or a signed vendor quote. That helps show an assessor this is a real project with support behind it, and not just a list of ideas that may never happen.

The 180-Day Clock Is Real — Plan for It

Conditional Level 2 Certification does not last forever. Once your POA&M is approved, your organization has 180 days to finish every remaining item and complete the final review. If you do not finish that work in time, you risk losing the certification — and possibly the contract tied to it.

That means you should not wait until the last minute to plan your closeout assessment. Assessment firms often book up in advance, and an assessor may not be available exactly when you need one. A better approach is to reserve your closeout assessment early. Do this even before you submit your first POA&M, so you are not left scrambling later.

Six months may sound like plenty of time. It can go quickly once you account for purchasing steps, vendor schedules, internal approvals, and proof-gathering.

Pro tip: Plan your milestones by starting with the final review date and working backward. That makes it easier to set realistic deadlines for each step along the way.

What “Fully Compliant” Might Actually Signal

Here is a point that may seem surprising: if your organization says every required cybersecurity control is fully in place with no gaps at all, some assessors may be skeptical.

That is not because honesty is a problem. It is because flawless compliance is uncommon, especially for small and midsize defense contractors that are still getting familiar with CMMC. In many cases, it is more believable to show the few gaps that still remain and document how you plan to fix them than to say everything is complete with no issues at all.

Being open about what still needs work and having a real plan to address it shows maturity, and assessors, well, they like maturity.

How DTC Can Help Defense Contractors

Build Audit-Ready POA&Ms

At DTC, we work with defense contractors across the mid-Atlantic who are navigating CMMC Level 2 assessments, SPRS score remediation, and the broader shift to mandatory C3PAO audits. We’ve seen what strong POA&Ms look like — and we’ve seen the wreckage that vague ones leave behind.

Our CMMC readiness support:

CMMC readiness has two halves: the technical side — the systems, configurations, and controls you implement — and the policy side — the written procedures, plans, and governance that back them up. We handle the technical half ourselves. For the policy and procedure work, most of our defense-contractor clients bring on a specialized compliance consultant of their choosing to author the SSP and supporting documentation. We work alongside that consultant through regular meetings, so the technical and policy sides stay in sync.

• Standing up and maintaining the high-value technical controls — MFA for privileged and remote access, least-privilege enforcement, FIPS-validated encryption for CUI in transit, and controlled remote maintenance
• Audit logging, patch management, and monitored remote access across the in-scope environment
• Ongoing managed IT so the technical controls stay in place between assessments — not just on audit day
• Coordinating with your compliance consultant — as they author the SSP, POA&M, and SPRS score-improvement plan, DTC supplies the technical evidence
• Staying involved through C3PAO assessment and POA&M closeout — so the technical reality and the documented compliance picture actually match

Ready to Build a POA&M That Works for You?

If your organization is sitting on a POA&M that sounds more like a New Year’s resolution than a remediation plan, we should talk. –> Contact – DTC Today

References & Further Reading

The following resources informed this post and are recommended for contractors looking to go deeper on POA&M strategy and CMMC compliance:

1. POA&M Best Practices Under CMMC 2.0 (VSO, Inc.) — Detailed breakdown of what a high-quality POA&M entry requires, including specificity requirements and common assessor red flags.
2. Effective POA&M Tactics for CMMC Compliance That Pass Auditor Scrutiny (Intersec, Inc.) — Practical field guidance on SMART milestone writing, evidence capture, and scheduling closeout assessments.
3. Understanding POA&Ms and How They Fit into CMMC Compliance (Huntress) — Accessible overview of POA&M structure, eligible controls, and what assessors expect from a living compliance document.
4. CMMC Level 2 — Plan of Action and Milestone (MACPAS) — Clear explanation of CMMC 2.0 scoring mechanics, the 80% threshold, Conditional Certification criteria, and the 180-day remediation window.