Plan of Action and Milestones
Also known as: POA&M, POAM
A Plan of Action and Milestones (POA&M) is a written document that identifies security weaknesses, the corrective actions planned to address them, and the milestones for doing so. POA&Ms are permitted at CMMC Level 2 (for limited categories of controls, with closure timelines) but are NOT permitted at Level 1, Level 1 requires full implementation before affirmation.
Related terms
- Binary Assessment
Binary assessment is the CMMC Level 1 scoring model in which each of the 15 safeguarding requirements is rated either MET or NOT MET, there is no partial credit, no point value, and no Plan of Action and Milestones (POA&M) permitted. The organization must achieve MET on all 15 requirements to be compliant.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.