A POA&M, or Plan of Action and Milestones, is a document used to track remediation items that are being addressed as part of CMMC Level 2 readiness. It identifies the specific gap, who owns it, what action is required, and when it is expected to be resolved.
At Level 2, a POA&M is not a catch-all list for unresolved issues. Certain gaps cannot remain open if an organisation wants to support a defensible assessment or self-attestation position. Items must be specific, owned, time-bound, and backed by evidence of progress. If a POA&M is vague, open-ended, or used to defer issues that materially weaken the assessment boundary or control implementation, it creates risk rather than reducing it.
