The CMMC 2.0 enforcement deadline is here, and if you’re like many defense contractors right now, you may be feeling the pressure. Organizations across the Defense Industrial Base are scrambling to close gaps, prepare documentation, and figure out whether they can use a Plan of Action and Milestones (POA&M) to buy a little more time. It’s a natural instinct: with limited resources and a ticking clock, everyone is looking for ways to move fast and prioritize.

But while the POA&M is an important tool in the CMMC framework, it’s not a safety net that lets you put off the hard stuff. There are strict rules around what can and cannot be included on a POA&M, and misunderstanding those rules could put your eligibility for contracts at risk.

Let’s walk through what the POA&M really means for CMMC compliance, what it can and can’t cover at each level, and how to take a smarter approach to meeting requirements before the deadline.

Understanding the role of a POA&M in CMMC compliance

At its core, a POA&M is a corrective action plan. It documents known deficiencies, sets milestones to fix them, and provides a clear timeline for remediation. The Department of Defense included POA&Ms in CMMC 2.0 because they recognize that no system is perfect and that some contractors may need a short runway to close gaps.

What a POA&M is not, however, is a way to avoid or delay security requirements. The rules in 32 CFR §170.22 and §170.23 make it clear that certain “critical requirements” must be fully implemented at the time of assessment. If those are missing, no POA&M will save you.

Think of the POA&M as a patch kit, not a structural foundation. It’s there to help with smaller cracks, not to replace the load-bearing walls of your compliance program.

Level 1: No deferrals allowed

At CMMC Level 1, POA&Ms are not permitted. The 15 basic safeguarding requirements aligned with FAR 52.204-21 must be in place before you submit your self-assessment to SPRS. That means if you’re a contractor only handling Federal Contract Information (FCI), you cannot defer anything. You either meet all 15 or you don’t.

This might sound strict, but Level 1 is intentionally limited in scope. The idea is that these are the most fundamental security practices — things like limiting system access and scanning for vulnerabilities — and there’s no room for partial credit.

Level 2: Limited POA&M use with critical exceptions

POA&Ms are permitted at CMMC Level 2, but only for a specific subset of requirements. According to 32 CFR §170.22, you can submit a POA&M for certain gaps, but you must fully implement the “critical” practices at the time of assessment.

Here are some of the key requirements that cannot go on a POA&M at Level 2:

• Multi-factor authentication (MFA): Without MFA, your system is wide open to credential theft. This is a fundamental defense measure that assessors expect to see live and working.
• FIPS-validated encryption: If you’re storing or transmitting Controlled Unclassified Information (CUI), you must have proper encryption in place..
• Incident response capability: Having an incident response plan and the ability to act on it is non-negotiable. You can’t defer the mechanism you’d use to respond if things go wrong.
• Audit logging: The ability to generate and review logs is critical for both prevention and detection. Without it, you can’t demonstrate accountability.
• System Security Plan (SSP): Your SSP is the backbone of your compliance effort. If it’s missing or incomplete, you don’t have a credible foundation for assessment.

These non-negotiable requirements represent the core of your security posture. If you don’t have them in place, there’s no assurance that your environment is secure enough to handle CUI, and your assessor cannot certify you for CMMC Level 2. 

Other requirements may be deferred to a POA&M, provided you set milestones and remediate within the DoD’s mandated timeframe (typically 180 days). But don’t make the mistake of relying too heavily on the POA&M. But the more you lean on POA&Ms, the more you risk operational disruption later. 

Level 3: Advanced requirements that can’t be deferred

At CMMC Level 3, the requirements increase again. On top of the 110 practices in NIST 800-171, you’ll need to implement 24 additional practices aligned with NIST SP 800-172. These are designed to counter advanced persistent threats, and many of them are considered critical requirements.

Just like at Level 2, you cannot defer the critical practices to a POA&M. For example:

• Enhanced monitoring and detection: Advanced logging, threat hunting, and continuous monitoring must be operational. These are not items you can patch in later.
• Cryptographic key management: Strong key management is essential to protecting encrypted data. A gap here cannot be deferred.
• Privileged access management: At Level 3, how you control and monitor privileged accounts is under heavy scrutiny. Weaknesses in this area cannot be postponed.
• Supply chain risk management: Assessors will expect to see evidence that you’re actively identifying and managing risks from third-party suppliers.

Given the sensitivity of the data involved, Level 3 leaves even less room for flexibility. If you’re handling the highest-value contracts, the government expects that your defenses against nation-state-level threats are already in place.

Why the POA&M isn't a shortcut

Contractors sometimes fall into the trap of thinking a POA&M is a way to “pass now, fix later.” The reality is that a POA&M is a temporary corrective measure with strict deadlines. If you fail to close out items on time, you’ll be out of compliance and at risk of losing contracts.

And remember: assessors don’t just want to see a document. They want to see working controls, real evidence, and a system that can effectively protect sensitive data today.

A smarter way to meet CMMC compliance deadlines

With the enforcement deadline rapidly approaching, the most effective strategy isn’t to push requirements onto a POA&M. It’s to focus on building a compliance program that’s assessment-ready from the start.

Automation platforms can be critical tools for streamlining assessment readiness in ways that actually help fortify your security and compliance posture. Instead of chasing spreadsheets and scrambling to generate evidence at the last minute, these tools connect directly to your systems to collect data automatically, map the controls you already have in place to CMMC requirements, pinpoint compliance gaps, and give you real-time visibility into your security posture and compliance status. 

By streamlining everything from your System Security Plan to ongoing evidence collection, automation makes it possible to close gaps faster, reduce the risk of errors, and get ready for assessment fast without relying on POA&Ms as a crutch.

Accelerate CMMC compliance the right way

The bottom line is this: POA&Ms are a tool, not a lifeline. At Level 1, you can’t use them at all. At Level 2, you can use them sparingly — but not for the critical requirements that define your security posture. At Level 3, the bar is even higher, with advanced practices that must be fully operational before your assessment.

If you’re scrambling right now, don’t gamble on the POA&M. Prioritize the critical requirements, leverage automation to streamline manual work and accelerate assessment readiness, and put yourself in a position where compliance is sustainable over time.