Skip to content

CMMC readiness

POA&M Under CMMC: What's Allowed and the 180-Day Clock

A Plan of Action and Milestones can bridge a contractor to a Conditional CMMC status — but only for a narrow set of requirements, only above an 80% score, and only for 180 days. Here are the rules exactly as 32 CFR 170.21 draws them.

Request proof sample

The Plan of Action and Milestones is the most misunderstood mechanism in the entire CMMC program. Contractors tend to hear "POA&M" and relax, imagining it as a way to certify now and fix things later. The reality written into the CMMC program rule is far narrower and far stricter: a POA&M is a short, tightly bounded bridge available only to organizations that are already nearly compliant, it excludes exactly the controls you might most want to defer, and it runs on a hard 180-day clock with no built-in extension. This post lays out what is actually allowed, grounded in 32 CFR 170.21, so you can plan an assessment date honestly rather than optimistically.

What a POA&M is in the CMMC context

Outside CMMC, a POA&M is a familiar governance artifact: a documented plan listing unmet requirements, the actions to remediate them, and the milestones and dates for doing so. Inside CMMC, it acquires a specific legal function. When a Level 2 certification assessment finds that some — but not too many — requirements are not yet met, and those requirements fall within the permitted set, the C3PAO can issue a Conditional CMMC Status rather than an outright failure. Conditional status lets you be treated as meeting the requirement for award purposes while you finish the listed remediation. Final CMMC Status is what you hold once the POA&M is closed and verified. The whole mechanism lives in 32 CFR 170.21, and every constraint below flows from that section.

The eligibility rules: what is actually allowed

Three gates decide whether a POA&M is even available to you, and all three must be satisfied.

The 80% floor

You cannot POA&M your way up from a poor assessment. To be eligible for Conditional status, your assessment must reach a minimum score of 88 out of 110 — an 80% threshold measured on the same weighted DoD Assessment Methodology scale used for your SPRS score. If your weighted deductions push you below 88, there is no conditional path; the assessment is not passed, and no POA&M is offered. In effect, the rule reserves the bridge for contractors who are already roughly nine-tenths of the way there.

Only the permitted requirements

Even above the 80% floor, you may not place just any unmet requirement on the POA&M. The rule permits only a limited subset — broadly, the lower-weighted (1-point) requirements — and it specifically excludes the heaviest controls from POA&M eligibility. The requirements that carry the largest security weight, the 3- and 5-point controls the DoD considers most consequential for protecting CUI, generally must be fully MET at the time of assessment. You cannot certify conditionally while promising to implement multi-factor authentication, or basic boundary protection, or your core access controls "soon." Those are the controls the exclusion list is designed to force you to finish first.

There is one narrow, frequently-cited exception worth knowing precisely. The CUI encryption requirement, SC.L2-3.13.11, is normally a 5-point control, but it may be placed on a POA&M when you are already encrypting CUI and the only deficiency is that the cryptography is not yet FIPS-validated — in which case it is treated as a 3-point deduction. It is the exception that proves the rule: even the permitted heavy-control case requires that the substance (encryption) already exists and only the validation is outstanding.

It is a Level 2 and Level 3 mechanism only

POA&Ms do not exist at Level 1. A Level 1 self-assessment requires that all fifteen basic safeguarding requirements be met, full stop — there is no conditional status and no remediation window at the foundational level. The bridge described here applies to the Level 2 and Level 3 certification assessments governed by §170.21.

The 180-day clock

This is the constraint that turns a POA&M from a comfort into a deadline. When you receive a Conditional CMMC Status, the rule starts a clock on the Conditional Status Date, and a C3PAO must perform a POA&M close-out assessment within 180 days to verify that every item on the plan has been fully remediated and is now MET. Close everything within the window and your status converts to Final. Miss the window and the conditional status expires — you revert to not having a valid certification at that level, with the eligibility consequences that carries. The rule does not provide a general extension mechanism, so 180 days should be treated as a hard project deadline, not a target you can renegotiate.

The clock has a practical trap embedded in it: the close-out is itself a C3PAO assessment, and C3PAO capacity is finite. You cannot wait until day 175 to think about scheduling verification. The close-out assessment has to be planned, and often booked, well before the window runs out, which compresses your real remediation time to something shorter than 180 days.

Why the design is strict, and how to read it

It is tempting to see these constraints as bureaucratic cruelty, but the design has a coherent logic. The POA&M exists so that a contractor who is genuinely ready — who has closed the hard controls and holds a strong score — is not failed over a handful of minor, late-closing items. It does not exist to let an under-prepared organization certify on promises. The heavy-control exclusions and the 80% floor together ensure the mechanism rewards being nearly done, not being willing to start. Reading it that way changes how you plan: the POA&M is the last five percent of a readiness program, not the first draft of one.

Managing it in practice

The operational discipline is to sort your open gaps into two buckets long before assessment day. The first bucket is must-fix-before-assessment: every 3- and 5-point control on the exclusion list, plus anything needed to clear the 88/110 floor. The second is POA&M-eligible: the permitted lower-weight items you could legitimately carry conditionally. Knowing which bucket each gap falls into lets you set an assessment date you can actually pass, and it prevents the worst outcome — walking into an assessment assuming a control is POA&M-able when the rule excludes it. Then, if you do land in conditional status, run the 180-day window as a scheduled project with the close-out assessment booked in advance.

A concrete illustration makes the sorting rule vivid. Suppose an assessment finds four unmet items: multi-factor authentication is not enforced for remote access, audit logging is incomplete, CUI is encrypted but with cryptography that is not yet FIPS-validated, and a session-timeout configuration is missing. The MFA and audit-logging gaps are heavily weighted controls the exclusion list keeps off the POA&M — they must be fully closed to pass, and leaving them open would very likely drop you below the 88-point floor in the first place. The FIPS-validation gap is the recognized exception: because encryption already exists and only the validation is outstanding, it can be carried on the POA&M as a 3-point item. The missing session-timeout setting is a low-weight requirement that is POA&M-eligible. In this example two of the four gaps are must-fix and two are legitimately bridgeable — and a team that had assumed all four could be deferred to a POA&M would have failed on assessment day. Sorting the buckets early is what converts that surprise into a plan. It also tells you, weeks ahead, whether you are actually assessment-ready or still carrying an excluded gap that no amount of good intentions will let you defer.

Where Valty fits, honestly

Valty is not a C3PAO and does not perform certification or close-out assessments; only an accredited assessor can. What the platform does is manage the POA&M lifecycle as readiness support: flagging which of your open gaps are POA&M-eligible versus which the rule excludes, tracking your weighted score against the 88/110 conditional threshold, running the 180-day clock as a managed countdown with milestone tracking, and generating the OSCAL POA&M artifact in the form an assessment package expects. It is decision-support for arriving at — and getting through — the assessment honestly, not a substitute for the assessor's judgment. For the full timeline and mandate context, see the CMMC overview and the federal and regulatory capability page; if you have not yet established a baseline, the companion post on calculating your SPRS score is the place to start.

Back to blogView proof surface