Module 11: POA&Ms, Conditional Certification, and Remediation Strategy

Step 1 – Where POA&Ms Fit in CMMC 2.0 Today

Under CMMC 2.0, Plans of Action & Milestones (POA&Ms) are no longer an informal, open‑ended "to‑do list." They are tightly constrained exceptions to the expectation that you fully implement all required practices at the time of assessment.

As of today (about late 2025), the key reference points are:

• CMMC 2.0 (Levels 1–3) is aligned with:
• NIST SP 800‑171 Rev. 2 (and transitioning to Rev. 3 once DoD updates its rulemaking and assessment guides)
• For Level 3, a subset of NIST SP 800‑172 (enhanced security requirements for critical programs)
• POA&M policy is primarily reflected in:
• 32 CFR Part 170 (CMMC Program rule, finalized in 2024)
• DoD assessment guides and draft scoring methodologies derived from NIST SP 800‑171A and the DoD Assessment Methodology (e.g., the 110‑point scoring model)

Core idea:

• You must aim for full implementation of all required practices before a CMMC assessment.
• A limited number of specific, lower‑impact gaps may be placed on a POA&M with strict conditions:
• Only certain practices are eligible.
• There is a maximum allowed POA&M score deficit.
• There are firm deadlines for closure (typically measured in months, not years).

In this module you will learn:

1. Which gaps can be placed on a POA&M and which cannot.
2. How conditional certification works (you may pass with conditions if POA&Ms meet rules).
3. How to design a prioritized remediation strategy that is realistic, defensible, and aligned with CMMC 2.0 expectations.

Step 2 – POA&M Structure and Scoring Logic

A POA&M is a structured document that records:

1. The gap (which practice/control is not fully implemented)
2. Risk and impact (what could go wrong, and how badly)
3. Planned actions (technical, procedural, and organizational steps)
4. Milestones and dates (with owners and measurable outcomes)
5. Residual risk during the remediation window

Under CMMC 2.0, POA&M use is constrained by scoring rules derived from the DoD Assessment Methodology:

• Each NIST 800‑171 control (CMMC Level 2 practice) maps to a score impact (0, −1, −3, or −5 points).
• Your CMMC Level 2 minimum passing score is typically 88/110 (this figure may be adjusted by contract, but 88 is the common reference point).
• A practice that is not yet implemented but placed on a POA&M is initially scored as if it is missing (so your current score reflects the gap).
• POA&M rules limit how many points can be associated with open POA&Ms and which practices are ineligible for deferral.

This logic forces organizations to:

• Implement high‑value / high‑impact controls before assessment.
• Use POA&Ms only for lower‑impact, well‑bounded gaps.

You should think of POA&Ms as: short‑term, risk‑bounded exceptions, not a substitute for building a mature security program.

Step 3 – What Cannot Go on a POA&M (Non‑Deferrable Controls)

DoD has been explicit that some practices are too fundamental to be deferred. While exact lists can be updated in guidance, you should understand the categories that are almost always non‑deferrable for CMMC Level 2:

1. Core access control and boundary protections

• Examples:
• Multi‑factor authentication (MFA) for privileged and remote access (AC‑2(1), IA‑2(2)/(3) equivalents)
• Network boundary protections (firewalls, segmentation) for CUI environments
• Rationale: Without them, attackers can trivially access CUI.

1. Cryptographic protections for CUI in transit and at rest

• Use of FIPS‑validated cryptographic modules (SC‑13, SC‑12‑related)
• Encrypted remote access sessions
• Rationale: CUI could be exposed over untrusted networks or lost devices.

1. Incident detection, response, and logging basics

• Logging of security‑relevant events
• Incident response planning and reporting
• Rationale: Without these, you cannot even detect or respond to compromise.

1. System security plan (SSP)

• A current, accurate SSP is mandatory before assessment.
• You cannot place "SSP incomplete" on a POA&M and still expect certification.

1. Any practice explicitly designated as non‑deferrable in DoD guidance or in your contract

• Some solicitations and contracts specify control‑level must‑haves.

Key takeaway:

If a control is:

• foundational to identity, boundary, or cryptography, or
• essential to incident detection/response, or
• the SSP itself,

then you should assume it cannot be deferred to a POA&M unless current DoD guidance explicitly says otherwise.

Practical implication:

When you build your remediation strategy, treat these as Day‑0 controls: they must be in place before you schedule a CMMC assessment.

Step 4 – Example: Evaluating a Control for POA&M Eligibility

Consider a small defense contractor preparing for CMMC Level 2. They have completed an internal NIST 800‑171 self‑assessment and identified three gaps:

1. Gap A – Missing MFA for remote admin access

• Current state: Admins use password‑only VPN access to manage CUI systems remotely.
• Impact: If credentials are stolen, an attacker can reach CUI systems.
• Category: Core access control / boundary.
• POA&M eligibility? Almost certainly NO.
• Reason: MFA for remote/privileged access is a high‑impact, non‑deferrable control.

1. Gap B – Incomplete documented procedure for media sanitization

• Technical controls: Secure wipe tools are in use; staff do wipe drives.
• Documentation: The formal written procedure is outdated and not aligned with current tools.
• Impact: Moderate – risk of inconsistent practice, but technical tooling exists.
• POA&M eligibility? Possibly YES, if:
• The practice is partially implemented,
• Residual risk is low and well understood,
• It does not fall in a non‑deferrable category.

1. Gap C – Centralized log aggregation not fully deployed

• Current state: Local logs are enabled on endpoints and servers; central SIEM is only partially rolled out.
• Impact: Reduced ability to correlate events quickly, but basic logging exists.
• POA&M eligibility? Maybe, depending on:
• Which specific 800‑171 controls are affected (e.g., AU‑6, AU‑12, etc.),
• How DoD scoring assigns points and non‑deferrable status to those controls.

In a realistic scenario, the organization might:

• Fully implement MFA before scheduling the assessment.
• Place Gap B and possibly Gap C on POA&Ms with:
• Clearly defined actions,
• Short, realistic deadlines,
• Documented residual risk.

This example shows how you should reason:

1. Identify the control and its category.
2. Map it to scoring impact and DoD guidance.
3. Decide: non‑deferrable (must be fixed pre‑assessment) vs. POA&M‑eligible.

Step 5 – Conditional Certification and Deadlines

Under CMMC 2.0, you can sometimes achieve a conditional certification if:

1. Your current implemented score meets or exceeds the minimum threshold (e.g., 88/110 for Level 2), and
2. Any remaining gaps are:

• Eligible for POA&Ms,
• Within the maximum allowed cumulative score for POA&Ms (e.g., DoD has historically discussed caps like 10 points),
• Assigned realistic, time‑bound remediation plans.

How conditional certification works conceptually:

• The C3PAO (third‑party assessor) performs the assessment and calculates your actual score.
• If you:
• Meet the required score without counting future POA&M fixes, and
• All remaining gaps comply with POA&M rules,

then the report may support a CMMC certification with conditions.

• The conditions typically include:
• Deadlines for closing each POA&M item (e.g., 180 days from certification date, shorter for higher‑risk items).
• Possible interim reporting to the DoD or prime contractor.

If you miss remediation deadlines:

• The conditional certification can be revoked or lapse.
• Your organization may:
• Lose eligibility for new awards involving CUI,
• Face contractual non‑compliance for existing contracts that require ongoing CMMC conformance.

Important nuance:

• Conditional certification is not guaranteed; it depends on:
• The assessor’s findings,
• The DoD’s thresholds and current policy,
• Contract‑specific language.

For planning purposes, assume:

• You must be able to operate securely on Day 1 (no critical gaps).
• POA&Ms are for residual, lower‑impact issues with short time horizons.

Step 6 – Thought Exercise: Triage Your Gaps

Imagine you are the security lead for a mid‑size contractor targeting CMMC Level 2 certification within the next 9 months. Your internal assessment identifies the following gaps:

1. No MFA for remote access to CUI systems.
2. CUI data at rest on laptops is encrypted, but not with FIPS‑validated crypto.
3. Vendor access to a critical application is allowed via VPN, but there is no documented process for approving/terminating vendor accounts.
4. Backups for CUI systems exist, but off‑site copies are not encrypted.
5. Annual security awareness training is performed, but records for some staff are missing.

Your task

For each gap, classify it into one of three buckets:

• Bucket 1 – Must be fixed *before* assessment (non‑deferrable)
• Bucket 2 – Likely POA&M‑eligible with short deadline
• Bucket 3 – Low‑impact / documentation‑heavy; safe to defer if allowed

Write down your classification and reasoning. Then compare with the guidance below.

---

Suggested reasoning (do this after you decide):

• Gap 1 (MFA) – Bucket 1: Core access control, high‑impact.
• Gap 2 (FIPS‑validated crypto) – Bucket 1: Cryptographic protection for CUI at rest; usually non‑deferrable.
• Gap 3 (vendor access process) – Bucket 2 or 3: Depends on actual risk; technical control may exist, but process is weak.
• Gap 4 (off‑site backup encryption) – Bucket 1 or 2: High impact if backups are lost; often treated as critical.
• Gap 5 (training records) – Bucket 3: Documentation/record‑keeping; lower direct technical risk.

Reflect on how risk, control category, and DoD guidance influenced your choices.

Step 7 – Designing a Risk‑Based Remediation Strategy

To move from theory to practice, you need a structured remediation plan that aligns with CMMC 2.0 constraints.

A robust approach consists of five stages:

1. Inventory and classify gaps

• Map each gap to:
• The specific NIST 800‑171 / CMMC practice ID (e.g., AC.1.001, SC.3.177).
• Its score impact (−1, −3, or −5).
• Its category: identity, boundary, crypto, logging, incident response, etc.
• Tag each gap as likely non‑deferrable or potentially POA&M‑eligible.

1. Quantify risk and business impact

• For each gap, estimate:
• Likelihood of exploitation (high/med/low).
• Impact on CUI confidentiality, integrity, availability.
• Business impact (e.g., downtime, reputational damage, contract loss).
• Use a simple 3×3 or 5×5 risk matrix to rank.

1. Sequence remediation by value and dependency

• Prioritize controls that:
• Are non‑deferrable and
• Reduce many risks at once (e.g., MFA, EDR deployment, network segmentation).
• Respect technical dependencies (e.g., implement centralized identity before enforcing MFA everywhere).

1. Decide POA&M candidates

• For lower‑impact gaps:
• Confirm they are eligible per current DoD guidance.
• Ensure the total POA&M score remains below DoD’s cap.
• Assign short, realistic closure dates (typically ≤ 180 days for most items).

1. Document and govern

• Maintain a POA&M register with:
• Gap description, owner, milestones, due dates.
• Interim compensating controls (if any).
• Regular status reviews (e.g., monthly risk committee meetings).
• Update your SSP and related policies as controls are implemented.

The goal is to arrive at a pre‑assessment posture where:

• All non‑deferrable, high‑impact controls are implemented.
• Remaining gaps are small, controlled, and clearly tracked.
• Your CMMC score meets the threshold even if POA&Ms are still open.

Step 8 – A Simple POA&M Tracking Template (Pseudo‑Code / YAML)

You can manage POA&Ms in a spreadsheet, GRC tool, or even a simple text‑based format. Here is a YAML‑style template that captures the essentials:

```yaml

poam_items:

• id: POAM-001

control_id: AC.1.001

control_name: Limit information system access to authorized users

description: >

Formal documented user access review procedure is incomplete,

though technical access controls are in place.

currentimplementationstatus: Partially Implemented

score_impact: -1

risk_rating: Medium

non_deferrable: false

compensating_controls:

• Quarterly manual review of privileged accounts by IT lead

planned_actions:

• Update access review SOP to align with NIST 800-171
• Train helpdesk staff on new procedure

milestones:

• milestone_1:

description: Draft SOP completed

due_date: 2025-03-15

• milestone_2:

description: SOP approved and training delivered

due_date: 2025-04-01

owner: itsecuritymanager

status: Open

targetcompletiondate: 2025-04-01

• id: POAM-002

control_id: AU.2.041

control_name: Ensure audit records are reviewed and analyzed

description: >

Centralized log correlation is not fully enabled. Local logging

is active but correlation and alerting are limited.

currentimplementationstatus: Partially Implemented

score_impact: -3

risk_rating: High

non_deferrable: false

compensating_controls:

• Weekly manual log review on critical servers
• Endpoint detection and response (EDR) alerts monitored 24/7

planned_actions:

• Complete SIEM rollout to all CUI systems
• Define and tune correlation rules for key attack patterns

milestones:

• milestone_1:

description: All CUI endpoints sending logs to SIEM

due_date: 2025-02-10

• milestone_2:

description: Alert tuning and runbook creation completed

due_date: 2025-03-01

owner: soc_manager

status: Open

targetcompletiondate: 2025-03-01

metadata:

totalopenpoam_score: -4

maxallowedpoam_score: -10

assessment_date: 2025-01-20

```

This structure helps you:

• Track which controls are on POA&M.
• Monitor score impact vs. allowed POA&M cap.
• Demonstrate to assessors that you have a disciplined, time‑bound remediation plan.

Step 9 – Check Understanding: POA&M and Conditional Certification

Answer this question to test your understanding of POA&M limits under CMMC 2.0.

Step 10 – Key Term Review

Flip the cards to reinforce critical terminology related to POA&Ms and remediation strategy.

Step 11 – Apply It: Build a Mini Remediation Roadmap

To consolidate your learning, sketch a mini remediation roadmap for a hypothetical Level 2 environment.

Scenario

You manage a small enclave processing CUI. After an internal assessment, you identify these gaps:

1. No MFA for remote admin access.
2. Endpoint Detection & Response (EDR) deployed, but no central SIEM.
3. Some CUI file shares lack encryption at rest (non-FIPS algorithms in use).
4. Annual security training is done but lacks CUI-specific modules.
5. Media sanitization is performed but not formally documented.

Task

1. Classify each gap as:

• Non-deferrable (must fix pre-assessment), or
• Potentially POA&M-eligible.

1. Prioritize them into a 3–6 month roadmap, e.g.:

• Month 1–2: Implement MFA and FIPS-compliant encryption for CUI shares.
• Month 2–3: Update training content; document media sanitization.
• Month 3–4: Expand logging and SIEM integration.

1. For one POA&M-eligible gap, draft:

• A short description
• Risk rating
• Planned actions and target completion date
• Any compensating controls

Compare your roadmap to the principles from earlier steps:

• Are high-impact, non-deferrable controls front-loaded?
• Are POA&M candidates low-impact, documentation-heavy, or incremental improvements?
• Are timelines realistic (≤ ~6 months for most items)?