Free template · Markdown or Word · no email gate
POA&M template for NIST 800-171
A Plan of Action & Milestones (POA&M) documents each unmet NIST SP 800-171 requirement: the weakness, the remediation plan, who owns it, and the target date. Under CMMC Level 2 it is tightly limited — conditional status requires a score of at least 88 of 110, generally only 1-point gaps, all closed within 180 days. Six requirements are never eligible.
Skip to the free template ↓The 32 CFR 170.21 eligibility rules
A POA&M is not a parking lot for every gap. For a Level 2 assessment to end in conditional certification, all of the following must hold:
- Score at least 88 of 110 on the assessment (the 80% line under the DoD Assessment Methodology).
- Only 1-point items may sit on the POA&M — with exactly one exception: 3.13.11 (CUI encryption) qualifies in its 3-point partial case, where encryption is deployed but not yet FIPS-validated.
- None of the six never-eligible requirements may be open (table below) — those must be fully implemented before the assessment.
- Every item closes within 180 days of the conditional status date, verified by closeout — or the conditional status lapses.
And one rule that surprises people: Level 1 allows no POA&M at all. POA&Ms are a Level 2 mechanism, inside these limits.
The six never-eligible requirements
| Requirement | What it covers |
|---|---|
| AC.L2-3.1.20 | Verify and limit external system connections |
| AC.L2-3.1.22 | Control CUI on publicly accessible systems |
| CA.L2-3.12.4 | Develop and update system security plans |
| PE.L2-3.10.3 | Escort visitors and monitor visitor activity |
| PE.L2-3.10.4 | Maintain audit logs of physical access |
| PE.L2-3.10.5 | Control and manage physical access devices |
Source: 32 CFR 170.21. Requirement titles from NIST SP 800-171 Rev 2. Verified June 2026. The full scoring math behind the 88-point line is on our scoring methodology page.
A worked example
Here is the shape a useful POA&M takes — six rows from a demonstration artifact set for Ridgeline Precision Components LLC, a fictional company we use to show output quality (no real company data). Notice what the eligibility column does: it splits the same list into "can ride to a conditional assessment" and "must fix first."
| # | Requirement | Title | Points | POA&M-eligible | Status |
|---|---|---|---|---|---|
| 1 | AU.L2-3.3.3 | Review and update logged event types | 1 | Yes | Not implemented |
| 2 | CM.L2-3.4.3 | Track, review, approve, and log changes | 1 | Yes | Not implemented |
| 3 | SC.L2-3.13.11 | Employ FIPS-validated cryptography to protect CUI | 3 | Yes | Partially implemented |
| 4 | IA.L2-3.5.3 | Use multifactor authentication for system access | 3 | No — must fix | Partially implemented |
| 5 | RA.L2-3.11.2 | Scan for system and application vulnerabilities | 5 | No — must fix | Not implemented |
| 6 | CA.L2-3.12.4 | Develop and update system security plans | unscored | No — must fix | Not implemented |
Fictional sample, excerpted. Row 4 shows the asymmetry that trips people up: 3.5.3 (MFA) in its partial case deducts 3 points but is not POA&M-eligible — only 3.13.11 gets the 3-point exception. Row 6 is the SSP gate: unscored, never eligible, and without it no assessment can be completed at all.
Download the blank POA&M template
Free and ungated: a ready-to-fill table with the columns assessors expect — requirement, points, eligibility, weakness, remediation plan, resources, responsible role, milestone and completion dates — with the 32 CFR 170.21 limits printed at the top so the rules travel with the document.
The hard part isn't the table — it's knowing which gaps are eligible. The free assessment classifies every gap for you, then drafts the POA&M from your own answers.
Straight answers
What score do I need to use a POA&M for CMMC Level 2?
Conditional Level 2 status requires an assessment score of at least 88 of 110 AND every open gap POA&M-eligible (32 CFR 170.21). Both conditions matter: an 88 with one wrong kind of gap — a 5-point item, or any of the six never-eligible requirements — still fails.
Which requirements can never be on a POA&M?
Six requirements are never POA&M-eligible under 32 CFR 170.21: 3.1.20 (external connections), 3.1.22 (publicly posted content), 3.12.4 (the SSP itself), and 3.10.3, 3.10.4, 3.10.5 (escorting visitors, physical access logs, managing physical access devices). Beyond those, only 1-point items qualify — with one exception: 3.13.11 in its 3-point partial case, where encryption is deployed but not FIPS-validated.
How long do I have to close POA&M items?
One hundred eighty days from the conditional status date. Items closed within 180 days are verified in a closeout assessment; miss the window and the conditional status lapses (32 CFR 170.21).
Does CMMC Level 1 allow a POA&M?
No. Level 1 permits no POA&M at all — every one of its basic safeguarding requirements must be fully met to self-assess as compliant. POA&Ms exist only at Level 2 and above, within the limits described on this page.
Stop guessing which gaps can wait
The free assessment scores all 110 requirements with the exact DoD methodology and splits your gaps into POA&M-eligible and must-fix — then drafts the POA&M from your answers.
Start the free assessment