What is a POAM?

Back to Blog

Plans of Action and Milestones, or a POAM, is a “document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones”, as defined by NIST.

When your organization is working towards NIST 800-171 compliance, there may be unmet requirements. A POAM is necessary in order to plan for and complete the necessary remediation.

Read on to learn more about how POAMs fit into CMMC 2.0 and the steps required to develop a POAM.

POAMs and CMMC 2.0

Previously, under the initial CMMC framework, POAMs were not allowed. You either met all requirements or you didn’t. Under the updated CMMC 2.0, POAMs are permitted on a “limited use” basis.

The DoD anticipates a 180-day timeline to resolve a POAM. Additionally, out of the 110 controls of NIST 800-171 & CMMC Level 2, POAMs for the highest-weighted requirements are likely not permitted. This means that almost 40% of requirements in NIST 800-171 and CMMC Level 2 will not be allowed.

Developing A POAM

Usually, organizations will undergo an internal audit or external assessment, like SSE’s Gap Assessment, to identify and document gaps in their compliance.

A POAM will contain the following information:

  • The area(s) of non-compliance with NIST 800-171
  • The area(s) of the organization responsible for the system or network vulnerability
  • The resources needed to solve the vulnerability
  • Key project milestones with deadline dates
  • The final date for becoming compliant
  • The status of the improvement project

The final document will usually be generated in the form of a spreadsheet and should be continuously updated until it has been resolved.

Work With SSE

At SSE, we know these evolving requirements can feel overwhelming. As a Registered Provider Organization with the CMMC Accreditation Board, we are up to speed on the latest changes.  As a DoD Contractor ourselves, we have the vetted IT tools, policy templates and assessment services mapped to NIST 800-171 and CMMC requirements to assist businesses on the road to compliance.

Let us demonstrate how we can help in preparing your business.  Schedule your complimentary CMMC Readiness Assessment with our team now!

Additional Blog Posts

DOJ Ramps Up Cyber-Enforcement on Defense Contractors

The Department of Justice’s recent $4.6 million settlement with defense contractor MORSECORP sends a clear message to the Defense Industrial…

SSE Ranked #68 on MSPMentor’s 501 Global List for Top Managed Service Providers in 2025

We’re thrilled to announce that we have been recognized as #68 on MSPMentor’s 501 Global List for Top Managed Service…

CMMC-Based Cybersecurity Compliance

For companies within the Defense Industrial Base (DIB), the stakes have never been higher—cybersecurity compliance is no longer optional. With…
View All Blog Posts

You focus on what you do best. Let SSE take care of the rest.

Contact Us