A Plan of Action and Milestones (POA&M) is a formal document that tracks security gaps and lays out the steps, resources, and deadlines needed to fix them. It is a key part of cybersecurity compliance for any business that works with the Department of Defense (DoD) or handles Controlled Unclassified Information (CUI). According to NIST SP 800-53, a POA&M "identifies tasks needing to be accomplished, details resources required to accomplish the elements of the plan, any milestones for meeting the tasks, and scheduled completion dates." For defense contractors in Huntsville, Alabama and across North Alabama, where thousands of businesses support Redstone Arsenal and other federal agencies, a well-built POA&M can mean the difference between winning a government contract and losing one. This article covers everything you need to know about POA&Ms, including what goes into them, how they connect to CMMC and NIST 800-171, and how to build one that keeps your business on track.

What Is a Plan of Action and Milestones (POA&M) in Cybersecurity?

A Plan of Action and Milestones in cybersecurity is a corrective action document that lists known security weaknesses, the steps needed to fix them, the people responsible, and the deadlines for each fix. Think of it as a to-do list for your security program. It helps you organize your path from where you are now to where you need to be.

The concept comes from the Federal Information Security Modernization Act (FISMA) of 2014, which requires all federal agencies and their contractors to follow NIST's Risk Management Framework (RMF). The POA&M is a core piece of that framework. According to OMB Memorandum 02-01, every system that handles federal data must have one. It is not optional for businesses that work on government contracts.

For small and mid-sized businesses in the Huntsville area, this matters a lot. A 2024 study by CyberSheath and Merrill Research found that only 4% of defense contractors were fully ready to meet CMMC standards. The average Supplier Performance Risk System (SPRS) score among respondents was -12, far below the perfect score of 110. Many of these businesses need a strong POA&M to close the gap between where they are and where they need to be. Businesses that handle compliance as a managed service often find that having expert guidance makes this process far smoother.

Why Is a POA&M Important for Government Contractors?

A POA&M is important for government contractors because it shows the DoD that your business takes security seriously, has a plan to fix gaps, and is actively working toward full compliance. Without one, you cannot demonstrate due diligence, and you risk losing contract eligibility altogether.

NIST SP 800-171, the standard that forms the backbone of CMMC Level 2, specifically requires contractors to "develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems" under control 3.12.2. This is not a suggestion. It is a requirement.

The stakes are high. According to data from PreVeil, over 80% of aerospace and defense organizations have experienced a data breach in the past 12 months. The defense industry sees roughly 1,250 cyber incidents per week. A POA&M helps contractors track and fix the vulnerabilities that lead to these incidents. It also gives auditors and contracting officers confidence that your organization has a clear path to full compliance.

Huntsville is home to Redstone Arsenal, which supports a government and contractor workforce of 36,000 to 40,000 people daily, according to the U.S. Army. The defense industry accounts for a $27 billion economic impact in the Huntsville region alone, based on a University of Alabama study. For North Alabama contractors, maintaining a solid POA&M is not just a compliance checkbox. It is a business survival tool.

What Goes Into a POA&M Document?

A POA&M document includes several key pieces of information for each security weakness. NIST provides a standardized spreadsheet template with a minimum of eight columns. Here is what each section covers.

The Weakness column describes the specific security gap or vulnerability that needs to be fixed. This could be a missing control, a failed configuration, or a policy that does not exist yet.

The Responsible Office or Organization column names the person or team in charge of fixing the issue. Clear ownership is critical. Without it, items sit on the list and never get resolved.

The Resource Estimate column lays out the budget, tools, and personnel needed to complete the fix. Some organizations break this into separate columns for dollar amounts and justifications.

The Scheduled Completion Date sets the deadline for resolving the weakness. Under CMMC 2.0, all POA&M items must be closed within 180 days of receiving Conditional CMMC Status, according to the CMMC Final Rule published in the Federal Register.

The Milestones with Interim Completion Dates column breaks the overall fix into smaller tasks. Each task should be Specific, Measurable, Assignable, Realistic, and Time-Related (SMART).

Additional columns typically include Changes to Milestones, How the Weakness Was Identified, and Status. Many organizations also add columns for risk level and supporting documents. Contractors in the Huntsville, Alabama area who work with managed IT and cybersecurity services can get help building a POA&M that meets these standards from the start.

How Does a POA&M Relate to CMMC Compliance?

A POA&M relates to CMMC compliance by serving as the bridge between a partial assessment score and full certification. Under the CMMC 2.0 Final Rule, which became enforceable on November 10, 2025, organizations that meet at least 80% of the 110 NIST SP 800-171 controls can receive a Conditional CMMC Status. All unmet controls must be placed on a POA&M and resolved within 180 days.

Here is how the math works. To earn Conditional CMMC Level 2 status, an organization must score at least 88 out of 110 on the CMMC assessment. That means at most, roughly 19 to 22 controls can remain open, depending on point values. Each NIST 800-171 control is assigned a point value of 1, 3, or 5 based on the DoD Scoring Methodology. Only controls worth 1 point can be placed on a POA&M, with one exception: encryption that is in use but not yet FIPS-validated may carry a 3-point value on the POA&M.

According to the Hive Systems analysis, only 47 of the 110 controls are even eligible to go on a POA&M. The rest must be fully implemented before your assessment. This leaves very little room for error. Controls that can never be placed on a POA&M include multi-factor authentication (MFA), FIPS-validated encryption, incident response capability, audit logging, and the System Security Plan (SSP) itself.

CMMC Level 1 organizations cannot use a POA&M at all. They must meet all 15 basic safeguarding controls at the time of assessment. This is important for many small businesses across North Alabama that handle Federal Contract Information (FCI) but not CUI.

What Is the Difference Between a POA&M and a System Security Plan (SSP)?

The difference between a POA&M and a System Security Plan is that the SSP describes your current security setup, while the POA&M lists the gaps you still need to fix and your plan for fixing them. The SSP is your blueprint. The POA&M is your to-do list.

According to NIST SP 800-171, the SSP outlines how your organization meets each of the 110 security requirements. It covers system boundaries, data flows, user roles, security controls, and the overall architecture of your IT environment. The POA&M then picks up where the SSP leaves off, documenting any controls that are partially implemented or not implemented at all.

A good way to think about it: as your compliance program matures, your SSP should grow longer and more detailed, while your POA&M should shrink. The goal is an empty POA&M, which means every control has been fully implemented. Both documents are required for DFARS 252.204-7012 compliance, and both will be reviewed during a compliance audit.

How Do You Create an Effective POA&M?

You create an effective POA&M by starting with a thorough gap assessment, documenting every unmet control, assigning clear ownership, setting realistic deadlines, and updating the document regularly. A weak or vague POA&M signals to auditors that your organization is not taking compliance seriously.

How Do You Identify Weaknesses for a POA&M?

You identify weaknesses for a POA&M by conducting a gap assessment against the NIST SP 800-171 controls. This means going through all 110 controls and 320 assessment objectives to determine which ones are fully met, partially met, or not met at all. The most common ways to find weaknesses include third-party assessments by a C3PAO, internal vulnerability scans, penetration testing, and routine security monitoring.

A Sera-Brynn study of approximately 50 defense contractor assessments found that, on average, companies had implemented only 39% of the NIST 800-171 controls. Small to mid-sized companies fared worse, implementing just 34% on average. Over 80% of assessed companies failed to implement 16 specific controls. These numbers show why a POA&M is so important. Most organizations have significant work to do.

Contractors in the Huntsville area who work with an experienced managed service provider can get a professional gap assessment that identifies exactly where they fall short and builds a POA&M around those findings.

How Do You Write SMART Milestones in a POA&M?

You write SMART milestones in a POA&M by making each task Specific, Measurable, Assignable, Realistic, and Time-Related. Vague entries like "improve access controls" will not pass auditor review. Instead, a strong milestone looks like: "Enable Azure Sentinel ingestion for 90 days of Windows event logs by March 15." That is specific, measurable, and has a clear deadline.

Break large remediation tasks into smaller subtasks. For example, if you need to implement multi-factor authentication across your organization, your milestones might include: select MFA tool by week 2, configure MFA for admin accounts by week 4, roll out MFA to all users by week 8, and verify full deployment by week 10.

Attach proof of funding to each milestone. A screenshot of an approved purchase order or a signed vendor quote eliminates the suspicion that your POA&M is just an unfunded wish list. Auditors see hundreds of these documents. The ones that stand out are the ones with real action verbs like "install," "enable," and "deploy," not vague verbs like "evaluate" or "investigate."

What Happens if You Do Not Close Your POA&M on Time?

If you do not close your POA&M on time, your Conditional CMMC Status expires. According to Section 170.21 of the CMMC Final Rule, all POA&M items must be resolved within 180 days of the Conditional CMMC Status Date. If the POA&M closeout assessment finds that any requirements are still unmet after 180 days, your conditional certification goes away. At that point, standard contractual remedies apply, and you would need a brand new full assessment to try again.

This is not a minor setback. According to CyberSheath's 2025 State of the DIB Report, 89% of defense contractors reported losses due to cyber incidents. Losing your CMMC certification on top of that means losing access to DoD contracts entirely. For businesses in Huntsville and across North Alabama, where defense contracting is a major part of the local economy, this could be devastating.

It is also worth noting that the CMMC Status Date stays the same even after your POA&M is closed. If you take the full 180 days to resolve your items, you only have about 2.5 years of full certification before your next reassessment is due. Planning ahead and closing items early gives you more runway.

Which CMMC Controls Cannot Be Put on a POA&M?

The CMMC controls that cannot be put on a POA&M are high-value controls that are essential to protecting CUI immediately. These include any control with a point value greater than 1 in the DoD Scoring Methodology, along with several specific 1-point controls that the DoD has designated as non-deferrable.

At CMMC Level 2, the following critical controls must be fully implemented before your assessment:

Multi-factor authentication (MFA): Required for all access to systems that contain CUI. Without MFA, your system is wide open to credential theft.

FIPS-validated encryption: All CUI must be encrypted at rest and in transit using FIPS 140-2 validated methods. The one exception is that encryption that is in use but not yet FIPS-validated can go on a POA&M as a 3-point item.

Audit logging: The ability to generate and review security logs is critical for detection and accountability.

System Security Plan (SSP): Your SSP must be complete and current. It cannot be deferred.

Incident response capability: You must have a working incident response plan before your assessment. Businesses that need help building these capabilities should consider working with a team that specializes in incident response planning for small and mid-sized businesses.

At CMMC Level 3, additional controls related to advanced persistent threat protection, cryptographic key management, and privileged access management are also off-limits for POA&Ms.

POA&M vs. SSP vs. SPRS Score: How Do They All Connect?

The POA&M, SSP, and SPRS score all connect as parts of a single compliance picture. The SSP documents your current security posture. The POA&M tracks what you still need to fix. The SPRS (Supplier Performance Risk System) score is the number that reflects how many of the 110 NIST 800-171 controls you have implemented.

A perfect SPRS score is 110. Each unmet control deducts its point value (1, 3, or 5) from that total. The 2024 CyberSheath study found the average SPRS score among defense contractors was -12, meaning most contractors had significant gaps. To qualify for Conditional CMMC Level 2, your SPRS score must be at least 88, which corresponds to the 80% threshold.

POA&M, SSP, and SPRS Score ComparisonDocument / MetricPurposeKey DetailsSystem Security Plan (SSP)Documents current security controls and architectureCovers all 110 NIST 800-171 controls; grows as compliance maturesPlan of Action & Milestones (POA&M)Tracks gaps, remediation steps, and deadlinesOnly 47 of 110 controls eligible; must close within 180 days under CMMCSPRS ScoreNumeric reflection of compliance levelPerfect score is 110; minimum of 88 needed for Conditional CMMC Level 2

Sources: NIST SP 800-171; CMMC Final Rule (32 CFR Part 170), Federal Register, October 2024; CyberSheath and Merrill Research, 2024; Hive Systems, 2025.

All three documents work together. Your SSP tells the story of your security program. Your SPRS score gives the DoD a quick snapshot. Your POA&M shows that you have a credible plan to close any remaining gaps. Contractors who keep all three documents current and aligned are in the strongest position for CMMC certification.

How Long Does It Take a Small Business to Build a POA&M?

It takes a small business anywhere from a few weeks to several months to build a POA&M, depending on how many gaps exist and the size of the IT environment. The POA&M itself is just a document. The real timeline comes from the gap assessment that feeds it and the remediation work that follows.

Industry experts estimate that it takes the average small business 12 to 18 months to fully implement all 110 NIST 800-171 controls. The POA&M is created early in that process to track progress. According to a report by CyberSheath, over 50% of defense contractors are currently struggling with CMMC implementation, and 31% are specifically challenged with creating protocols to protect against data breaches.

For businesses in Huntsville and North Alabama, time is especially critical. CMMC requirements have been appearing in DoD contracts since November 2025. Every month of delay is a month closer to losing contract eligibility. Working with a compliance-focused IT partner like Interweave Technologies can shorten the timeline by providing expert assessments, pre-built templates, and hands-on remediation support.

Can You Get CMMC Certified With Open POA&M Items?

Yes, you can get conditionally CMMC certified with open POA&M items, but only under strict conditions. The CMMC 2.0 Final Rule introduced the concept of Conditional CMMC Status, which allows organizations to compete for DoD contracts while they finish fixing certain low-risk security gaps.

To qualify for Conditional CMMC Level 2 status, you must score at least 80% (88 out of 110 points) on your assessment. All critical controls must be fully met. Only eligible 1-point controls can go on the POA&M. And you have exactly 180 days to close every open item and pass a POA&M closeout assessment.

This is not a free pass. According to the CMMC Final Rule published in the Federal Register, if the closeout assessment finds that any requirements are still unmet after 180 days, your conditional status expires and standard contractual remedies kick in. CyberSheath's 2025 report noted that only 270 organizations out of roughly 80,000 defense contractors that need Level 2 certification currently hold final CMMC certificates. The road ahead is long for most contractors, and a solid POA&M is the vehicle that gets them there.

What Are Common Mistakes Businesses Make With POA&Ms?

The most common mistakes businesses make with POA&Ms are writing vague action items, not assigning clear ownership, including controls that are not eligible for deferral, and treating the document as a one-time project instead of a living plan.

Putting a 5-point high-value control on your POA&M is an automatic disqualification. Auditors will stop the review immediately. Always cross-check your open items against the DoD's scoring methodology before submitting.

Another frequent mistake is creating a POA&M with no evidence of funding. If your milestones do not have approved budgets, vendor quotes, or resource allocations behind them, assessors will see your document as aspirational rather than actionable.

Businesses also fail by waiting too long to schedule their closeout assessment. Most C3PAOs (Certified Third-Party Assessment Organizations) have backlogs. If you wait until day 150 of your 180-day window to book your closeout, you may miss the deadline due to assessor availability, not technical work. Contractors across the Huntsville area who stay ahead of this schedule by working with experienced cybersecurity audit partners tend to close out their POA&Ms faster and with fewer issues.

How Do You Keep a POA&M Updated?

You keep a POA&M updated by reviewing it at least monthly, recording progress on every open item, adjusting timelines when needed, and adding new findings from ongoing monitoring. A POA&M is a living document. It should change every time your security posture changes.

Best practices include adding a "percent complete" column and updating it every 30 days. When your assessor returns for the closeout review, they should see a clear timeline of steady progress, not a document that was untouched for five months and then rushed at the end.

Hold a short weekly meeting with all POA&M item owners. In 15 minutes, each person reports what is done, what is next, and what is blocking progress. This gives leadership real-time visibility into blockers and lets them move budget or staff where it is needed most.

New vulnerabilities should be added to the POA&M as they are discovered through vulnerability scans, penetration testing, or security assessments. The POA&M is never truly "done." Even after your CMMC certification, you will need to maintain it as part of your ongoing compliance program. This ongoing obligation aligns with NIST SP 800-171 control 3.12.2 and the broader FISMA requirements for continuous monitoring.

Frequently Asked Questions

Do Huntsville Defense Contractors Need a POA&M for CMMC?

Yes, Huntsville defense contractors need a POA&M for CMMC if they have any unmet security controls after their assessment. The CMMC Final Rule requires all "NOT MET" items to be documented in a POA&M for organizations seeking Conditional Level 2 or Level 3 status. Given that Huntsville is one of the largest defense hubs in the country, with Redstone Arsenal driving a $27 billion regional economic impact according to the University of Alabama, local contractors should treat POA&M readiness as a top priority.

Is a POA&M Required for CMMC Level 1?

No, a POA&M is not required or allowed for CMMC Level 1. Level 1 organizations must meet all 15 basic safeguarding controls at the time of their self-assessment. There is no conditional status option at this level. If you fail any of the 15 controls, you do not pass.

How Many Controls Can Go on a CMMC POA&M?

Only 47 of the 110 NIST SP 800-171 controls are eligible to go on a CMMC POA&M at Level 2, according to Hive Systems' analysis of the DoD Scoring Methodology. These must all be 1-point controls, with the single exception of non-FIPS-validated encryption (a 3-point item). Your total score must still be at least 88 out of 110 to qualify for conditional certification.

What Frameworks Besides CMMC Use a POA&M?

Besides CMMC, frameworks that use a POA&M include FedRAMP, FISMA, NIST RMF, and any federal compliance program tied to NIST SP 800-53. FedRAMP requires monthly POA&M updates as part of continuous monitoring. FISMA requires all federal agencies and their contractors to maintain a POA&M as part of the Risk Management Framework authorization package. Many North Alabama businesses that serve both DoD and civilian federal agencies need POA&Ms for multiple frameworks.

Can a Managed IT Provider Help Build a POA&M?

Yes, a managed IT provider can help build a POA&M by conducting the initial gap assessment, documenting each unmet control, writing SMART milestones, and providing the technical remediation to close out items on time. According to NIST, working with a consultant who has thorough knowledge of NIST 800-171 is one of the most important steps in meeting DFARS requirements. Businesses in the Huntsville area can benefit from working with a local compliance-focused IT provider that already knows the defense contracting landscape.

How Often Should You Review Your POA&M?

You should review your POA&M at least once per month, and more often during active remediation periods. NIST SP 800-171 requires continuous monitoring and assessment of security controls. Under CMMC, you have a hard 180-day window to close all items, so monthly reviews are the bare minimum. Weekly check-ins with item owners are even better to catch problems early.

What Happens After You Close Out All POA&M Items?

After you close out all POA&M items, a closeout assessment is conducted to verify full compliance. If all requirements are met, your organization moves from Conditional CMMC Status to Final CMMC Status. According to the Federal Register, this final status is valid for the remainder of your certification period. Your POA&M does not disappear after closeout. It remains a living document that captures new vulnerabilities and security findings as they arise through ongoing monitoring.

Final Thoughts

A Plan of Action and Milestones is more than a compliance document. It is the roadmap that connects your current security state to where you need to be. For defense contractors in Huntsville, Alabama and across North Alabama, a strong POA&M is essential for winning and keeping DoD contracts. With only 4% of defense contractors fully CMMC-ready according to CyberSheath's research, and enforcement already underway, every day without a plan is a risk to your business.

The key is to start early, be specific in your milestones, assign clear ownership, fund your action items, and review progress regularly. Whether you are just starting your compliance journey or you are 90% of the way there, the POA&M keeps you organized, accountable, and moving forward.

If your business needs help building a POA&M, conducting a gap assessment, or preparing for a CMMC assessment, Interweave Technologies in Huntsville can help. With over 20 years of experience in managed IT, cybersecurity, and compliance services, their team works with defense contractors and government-adjacent businesses every day to get compliant and stay compliant. Call (256) 837-2300 or schedule a free scoping audit to get started.

‍