CMMC Level 2 POA&M: Conditional Certification Guide
A Plan of Action & Milestones (POA&M) is not a workaround. It's a legally recognized instrument in 32 CFR Part 170 — the CMMC Final Rule — for documenting remediation commitments when your organization can't implement all 110 CMMC Level 2 practices before a C3PAO assessment. Used correctly, it earns you a conditional certification while you finish hardening your environment. Used incorrectly — vague milestones, missing resource allocations, or non-deferrable practices on the list — it gives your C3PAO grounds to deny certification entirely.
This guide explains the conditional certification mechanics, what goes into a credible POA&M entry, and how to close gaps within the 180-day window before conditional status lapses.
What is a CMMC POA&M?
A Plan of Action & Milestones is a structured document that tracks each security practice you haven't fully implemented: why it isn't implemented, the responsible owner, specific milestone dates, and the resources committed to closing the gap. It is not a list of excuses — it is a time-bound remediation contract with documented commitments.
Under 32 CFR Part 170, POA&Ms play two distinct roles in the CMMC lifecycle:
- Annual self-assessment: You submit your NIST SP 800-171 score to SPRS and maintain a POA&M for practices that are NOT MET. The POA&M isn't submitted externally, but it must exist — contracting officers and prime contractors can request it, and DoD can verify via DIBCAC spot checks.
- C3PAO assessment: A credible POA&M enables a conditional CMMC Level 2 certification when you've met the minimum assessment threshold but have remaining gaps. Without a credible POA&M, unmet practices result in a failed assessment rather than a conditional pass.
The NIST SP 800-171 Rev 2 requirement for POA&Ms is codified in practice CA.L2-3.12.2: "Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems." The CMMC Final Rule adds the certification mechanics around that requirement.
How conditional CMMC Level 2 certification works
Under 32 CFR § 170.21, an Organization Seeking Certification (OSC) can receive a conditional CMMC Level 2 certification when three conditions are satisfied at the time of the C3PAO assessment:
- The OSC's assessment score meets or exceeds the minimum threshold established in 32 CFR Part 170. Verify the current numerical requirement in the rule text — the Final Rule ties the conditional threshold to a minimum MET score across the 110 practices.
- No practices from the non-deferrable list are on the POA&M. These foundational controls must be fully implemented ("MET") before conditional certification can be issued, regardless of overall score.
- All remaining unmet practices are documented in a credible POA&M with specific milestones, named owners, and allocated resources.
Conditional CMMC Level 2 status carries the same contract eligibility as full Level 2 — you can accept CUI-handling work. But it is not permanent. The OSC has 180 days from the conditional certification date to close all POA&M items and receive C3PAO confirmation. If the POA&M isn't resolved within the window, conditional status lapses and the OSC must complete a new C3PAO assessment. [32 CFR Part 170, 89 FR 77190, Oct. 15, 2024]
Practices that cannot go on a POA&M
Not every NIST SP 800-171 Rev 2 practice can be deferred. The Final Rule designates specific high-value practices as non-deferrable — meaning they must be fully implemented before conditional Level 2 certification can be issued. These are the foundational controls that DoD treats as non-negotiable floor items rather than acceptable gaps.
The non-deferrable practices are enumerated in 32 CFR Part 170 and in the DoD's CMMC Assessment Process (CAP) document. They span controls in the Identification & Authentication domain (multi-factor authentication), System & Communications Protection (encryption in transit and at rest), Audit & Accountability (audit log generation and retention), and Incident Response (operational response capability). The exact current list must be verified against the rule and CAP — practice IDs can shift between rule versions.
If a non-deferrable practice is beyond your current capacity to implement, you have two options: delay the assessment until implementation is complete, or address the root cause that's blocking implementation. Proceeding with an unmet non-deferrable practice is not a risk to manage with paperwork — it is a hard certification blocker.
For a full view of which practices carry the highest point weight and are most likely to appear on the non-deferrable list, see the SPRS Score Explained breakdown by domain. The highest-weighted controls (5-point and 3-point practices) overlap substantially with what the rule treats as non-deferrable.
What a credible POA&M entry looks like
C3PAOs evaluate POA&M credibility during the assessment. Vague entries ("implement encryption — in progress") are red flags. Each entry must answer six questions: what is the gap, why does it exist, who owns it, when will it be closed, what resources are committed, and how will completion be verified.
| Field | What to write | Bad example |
|---|---|---|
| Practice ID | Full practice ID (e.g., CM.L2-3.4.2) |
"Config management gap" |
| Finding | Specific: which systems, which users, what is not implemented | "Configuration baseline not enforced" |
| Root cause | Technical or process gap that created the deficiency | "Resource constraints" |
| Owner | Named individual or role — not a team name | "IT team" |
| Milestones | 3–5 dated milestones (design, pilot, deploy, verify) | "Complete by Q3" |
| Resources | Budget allocated, FTEs assigned, tooling licensed | "TBD" |
| Verification | Specific evidence artifact or automated check that confirms closure | "Will notify assessor when done" |
If you're using a compliance-as-code approach, the verification field should point at a specific automated check — a Prowler check ID, an OPA policy, or a Steampipe query — that produces a MET result when the gap is closed. That makes POA&M closure objective and auditable rather than dependent on manual attestation.
Common POA&M mistakes that fail assessments
The most common reason C3PAOs reject POA&Ms isn't missing controls — it's missing credibility. These patterns consistently raise flags during assessments:
- Milestones beyond the 180-day window. If your POA&M has completion dates more than 180 days from your expected certification date, you've already exceeded the conditional window. All items must close within 180 days of the certification date, not the assessment date.
- No resource allocation. "We plan to implement MFA" without a budget line and named personnel is aspirational, not a plan. Assessors look for evidence that implementation is funded and staffed.
- Non-deferrable practices on the list. This is an immediate certification blocker. Verify the list before your assessment — there is no negotiating it on-site.
- Stale entries with no progress updates. A POA&M entry from two years ago with no milestone history signals the gap is managed as documentation rather than as an active remediation. Every milestone should have a status date.
- One entry covering multiple practices. An entry like "implement all IA controls" conflates distinct gaps with different owners, timelines, and cost profiles. Each practice needs its own entry.
- No closure evidence path. If you can't describe what specific evidence will confirm the gap is closed, neither can your C3PAO. Define the evidence artifact before the remediation work starts, not after.
How compliance-as-code accelerates POA&M closure
When controls are implemented as code — Terraform modules, OPA policies, Steampipe queries — closing a POA&M item is a pull request, not a six-week project with manual screenshots. The control either passes the automated check or it doesn't. There's no ambiguity about whether "implementation" is complete.
This approach also transforms the evidence story. Instead of a screenshot taken the week before submission, you have a signed pipeline artifact showing the control has been continuously MET for 90 days. Assessors can trace from the POA&M entry to the check ID to the scan result to the OSCAL component definition. That's what evidence-as-code produces — and it's what distinguishes a conditional certification you can defend from one that barely passes.
For CMMC Level 2, the Prowler check inventory maps directly to the 110 practices. If you're tracking POA&M items by Prowler check ID — the same IDs that appear in your control-to-check mapping — you can run Prowler and immediately see which POA&M items have moved to MET status. That automated closure signal replaces manual attestation with a verifiable artifact.
The 180-day countdown
Once you receive conditional CMMC Level 2 certification, the clock starts. Here's a realistic timeline for managing the closure window without losing your conditional status:
- Day 0: Conditional certification issued. Lock your POA&M — no new items can be added to the POA&M after the assessment. Every open item is now a deadline.
- Days 1–30: Assign all owners, confirm budget and resource allocations, and schedule milestone check-ins. Any item without a named owner and allocated resources by Day 30 is already at risk.
- Days 30–120: Active implementation. Your C3PAO may request progress updates during this window. Have your milestone evidence ready before they ask.
- Day 120: Internal checkpoint. Any practice not in final deployment by Day 120 needs immediate escalation — you have 60 days remaining, not 180. Treat Day 120 as the de facto deadline.
- Days 120–150: Close all POA&M items, collect closure evidence, and run automated verification checks. This is evidence-gathering time, not implementation time.
- Day 150: Begin C3PAO notification and evidence submission. Don't wait until Day 179 — C3PAO review takes time, and the clock does not pause for administrative delays.
- Day 180: Hard deadline. All items must be confirmed MET and C3PAO confirmation received. Miss this and you start over with a full new assessment.
If you approach Day 180 with open items, there is no automatic extension under the Final Rule. The realistic path is to document the situation with your C3PAO, but the most likely outcome is that conditional status lapses and you need a new assessment to restore contract eligibility. The cost of that outcome — assessment fees, timeline delays, potential contract impacts — dwarfs the cost of treating Day 120 as the real deadline from the start.
The practical rule: whatever completion dates are in your POA&M at the time of conditional certification, back each one up by 30 days. Use that buffer for evidence collection and verification. Leave the last 30 days exclusively for C3PAO interaction. Implementation that isn't done by Day 120 isn't getting done in time.
If you're still in the pre-assessment phase, the right time to build your POA&M is during your readiness assessment — not the week before your C3PAO arrives. A well-constructed POA&M shows assessors that you understand your gaps, own them, and have a credible plan to close them. That posture matters as much as the score itself.
Ready to map your gaps?
We build POA&M-ready compliance programs that close gaps with code, not paperwork. If you're preparing for a C3PAO assessment and need an honest gap analysis before committing to an assessment date, let's talk.
Start your gap analysis →References
- U.S. Department of Defense. Cybersecurity Maturity Model Certification (CMMC) Program. 32 CFR Part 170, 89 FR 77190 (Oct. 15, 2024). federalregister.gov
- National Institute of Standards and Technology. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST SP 800-171 Rev. 2, February 2020. doi.org/10.6028/NIST.SP.800-171r2
- U.S. Department of Defense. NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1. OUSD(A&S), June 2020. Available from dodcio.defense.gov/CMMC/
- U.S. Department of Defense. CMMC Assessment Process (CAP). Office of the Under Secretary of Defense for Acquisition & Sustainment. dodcio.defense.gov/CMMC/