Plan of Action and Milestones (POA&M) Template | By Petronella Technology Group
Track remediation of CMMC compliance gaps. Each open finding should have a POA&M entry with specific milestones, resources, and completion dates.
Important: CMMC allows conditional certification with open POA&Ms, but all POA&Ms must be closed within 180 days of the conditional certification date.
Organization Information
| Field | Details |
|---|---|
| Organization | |
| System Name | |
| Target CMMC Level | |
| POA&M Created | |
| Last Updated | |
| Maintained By | |
| Conditional Certification Date | |
| 180-Day Deadline |
POA&M Register
POA&M-001
| Field | Details |
|---|---|
| Practice ID | [e.g., IA.L2-3.5.3] |
| NIST 800-171 Ref | [e.g., 3.5.3] |
| Requirement | [Full requirement text] |
| Weakness/Gap | [Describe the specific gap -- what is missing or incomplete] |
| Current Status | NOT MET / PARTIAL |
| SPRS Point Deduction | [1, 3, or 5 points] |
| Risk Level | Critical / High / Medium / Low |
Remediation Plan:
| Milestone | Description | Owner | Start Date | Target Date | Status |
|---|---|---|---|---|---|
| 1 | [First remediation step] | [Name] | Not Started | ||
| 2 | [Second step] | [Name] | Not Started | ||
| 3 | [Verification/testing] | [Name] | Not Started | ||
| 4 | [Documentation update] | [Name] | Not Started |
Resources Required: - Budget: $[amount] - Personnel: [roles/hours] - Technology: [tools/licenses needed]
Completion Evidence: [What artifacts will prove this is fixed?]
POA&M-002
| Field | Details |
|---|---|
| Practice ID | |
| NIST 800-171 Ref | |
| Requirement | |
| Weakness/Gap | |
| Current Status | NOT MET / PARTIAL |
| SPRS Point Deduction | |
| Risk Level |
Remediation Plan:
| Milestone | Description | Owner | Start Date | Target Date | Status |
|---|---|---|---|---|---|
| 1 | Not Started | ||||
| 2 | Not Started | ||||
| 3 | Not Started |
Resources Required: - Budget: $ - Personnel: - Technology:
Completion Evidence:
POA&M-003
| Field | Details |
|---|---|
| Practice ID | |
| NIST 800-171 Ref | |
| Requirement | |
| Weakness/Gap | |
| Current Status | NOT MET / PARTIAL |
| SPRS Point Deduction | |
| Risk Level |
Remediation Plan:
| Milestone | Description | Owner | Start Date | Target Date | Status |
|---|---|---|---|---|---|
| 1 | Not Started | ||||
| 2 | Not Started | ||||
| 3 | Not Started |
Resources Required: - Budget: $ - Personnel: - Technology:
Completion Evidence:
Copy and repeat the POA&M block above for each additional finding.
POA&M Summary Dashboard
| POA&M ID | Practice | Risk | Owner | Target Date | Status | Days Remaining |
|---|---|---|---|---|---|---|
| 001 | ||||||
| 002 | ||||||
| 003 |
Status Overview
| Status | Count |
|---|---|
| Not Started | |
| In Progress | |
| Completed | |
| Overdue | |
| Total |
SPRS Score Impact
| Metric | Value |
|---|---|
| Current SPRS Score | |
| Points in POA&M | |
| Projected Score at Completion | 110 |
Review Log
| Date | Reviewer | Notes | POA&Ms Reviewed |
|---|---|---|---|
Need help managing your POA&Ms? Contact Petronella Technology Group -- CMMC Registered Practitioner on staff.