CMMC POA&M Template for NIST 800-171 (Excel)
The POA&M is the last thing standing between a Conditional CMMC Status and a clean fail. Here is what 32 CFR 170.21 actually lets you defer, what it never will, and the Excel tracker practitioners use to build one an assessor accepts.
Under CMMC Level 2, a Plan of Action and Milestones (POA&M) is not a place to park the controls you did not finish. 32 CFR 170.21 permits one only to reach a Conditional CMMC Status, only for requirements scored NOT MET, and only when three conditions hold at once: you already scored at least 88 of 110, nothing on the plan is worth more than 1 point, and none of six named requirements appear on it.
A blank POA&M template does not know any of that. It gives you columns to fill in. It will happily let you list a 5-point control, or your System Security Plan, as a deferred item, and an assessor will reject the plan the moment they read it. The work is not the spreadsheet. It is knowing which gaps the rule allows you to defer before you walk into the assessment.
This page covers what a CMMC POA&M is under 32 CFR 170.21, exactly what can and cannot go on one, what a real POA&M row looks like, and the done-for-you Excel tracker that produces it.
What a CMMC POA&M actually is (32 CFR 170.21)
A POA&M is the documented, time-bound plan to close the security requirements an assessor scored NOT MET. Under 32 CFR 170.21 it has one function: it lets an Organization Seeking Assessment reach a Conditional CMMC Status instead of failing outright. It is not a substitute for implementing a control. Under the CMMC Scoring Methodology in 32 CFR 170.24, a requirement on a POA&M is still scored NOT MET until it is closed.
A POA&M is also not permitted at every level. For a Level 1 self-assessment, 32 CFR 170.21(a)(1) allows no POA&M at all, and every requirement must be MET. The conditional path exists only at Level 2 and Level 3, and only under the conditions below.
For each NOT MET requirement, your plan documents the finding, the milestones to close it, the responsible party, and a completion date inside the 180-day window. That is the artifact an assessor reviews, and the one this template is built to produce.
What can and cannot go on a CMMC POA&M
Section 170.21 runs two separate filters, and both have to pass.
The point-value filter (170.21(a)(2)(ii)). Only requirements worth 1 point under the CMMC Scoring Methodology (32 CFR 170.24) are eligible. Every 3-point and 5-point requirement must be fully MET before the assessment. There is exactly one exception: SC.L2-3.13.11 (CUI Encryption) may go on a POA&M if encryption is in use but not yet FIPS-validated, in which case it counts as a 3-point deduction rather than 5. If no encryption is in place at all, the exception does not apply and that single gap blocks certification.
The named-exclusion filter (170.21(a)(2)(iii)). Six requirements are barred from a POA&M by name, taken verbatim from the rule:
- AC.L2-3.1.20 External Connections
- AC.L2-3.1.22 Control Public Information
- CA.L2-3.12.4 System Security Plan
- PE.L2-3.10.3 Escort Visitors
- PE.L2-3.10.4 Physical Access Logs
- PE.L2-3.10.5 Manage Physical Access
These define and protect the CUI boundary: what connects to it, what information leaves it, who enters the spaces where it lives, and the document that describes the system. The System Security Plan (CA.L2-3.12.4) is the one to watch. Under 32 CFR 170.24, a missing or incomplete SSP does not just lose a point. It produces a finding that the assessment cannot be completed at all.
The score floor (170.21(a)(2)(i)). Even with an eligible set of gaps, your assessment score divided by the total Level 2 requirements must be at least 0.8. With 110 requirements, that is a minimum of 88. A perfect score is 110, so your total deductions cannot exceed 22 points. Because every deferrable item is worth 1 point, that is a hard ceiling of 22 one-point gaps, or about 19 if you use the encryption exception. Cross it and no POA&M qualifies you.
Why a free or blank POA&M template will not survive a C3PAO assessment
Search "CMMC POA&M template free download" and you will find spreadsheets with the right column headers. They are not wrong. They are just blank. A blank template encodes none of the rule:
- it does not stop you from listing a 3-point or 5-point control that can never be deferred
- it does not flag the six named exclusions, including your SSP
- it does not check your running total against the 88 of 110 floor
- it does not tie each item to a 180-day closeout date
An assessor reading a POA&M that lists an ineligible requirement does not negotiate. The plan is rejected and the requirement stays NOT MET. The difference between a blank template and one an assessor accepts is the eligibility logic, and that is the part that takes the knowledge, not the formatting.
What a real CMMC POA&M row looks like
A working POA&M documents every NOT MET item in a consistent, eligibility-aware structure. Here is a single row as it appears in a finished plan:
Control and monitor user-installed software.
Finding: NOT MET. Three in-scope workstations allow unrestricted software installation, with no monitoring of what users install.
Point value: 1 (eligible under 32 CFR 170.21(a)(2)(ii))
Milestones: (1) Enforce an application-control policy through the MDM to block unapproved installs. (2) Enable logging and alerting on installation attempts. (3) Validate across all in-scope endpoints.
Responsible party: IT Lead
Target completion: Day 45 of the 180-day closeout window
Status: Open, on track
Then multiply that by every NOT MET item, with the eligibility check, the running 88-point margin, and the 180-day dates handled for you. That structure is what the tracker provides.
The CyberZ CMMC POA&M Tracker (Excel)
The CMMC Level 2 POA&M Tracker for NIST 800-171 gives you the structured template pre-built: a row format mapped to control IDs, an eligibility check that flags any 3-point, 5-point, or named-exclusion item that cannot be deferred, a running margin against the 88 of 110 floor, and 180-day closeout dates calculated from your Conditional CMMC Status Date. You supply your findings. The rule is already wired in.
| Free / blank template | CyberZ POA&M Tracker ($57) | Consultant-built | |
|---|---|---|---|
| Eligibility logic (1-point filter, six exclusions) | No | Yes | Varies |
| 88 of 110 margin check | No | Yes | Varies |
| 180-day closeout dates tracked | No | Yes | Varies |
| Each item mapped to its control ID | No | Yes | Yes |
| You keep control of edits | Yes | Yes | Limited |
| Cost | $0 | $57 | Thousands |
CMMC Level 2 POA&M Tracker for NIST 800-171
Built to 32 CFR 170.21: an eligibility check that flags non-deferrable controls, a running margin against the 88 of 110 floor, and 180-day closeout tracking. Excel.
Get the POA&M Tracker ($57)If you are assembling the whole assessment package before a C3PAO date, not just the POA&M, the CMMC Level 2 Readiness Kit: 5 NIST 800-171 Tools ($147) bundles this POA&M tracker with the SSP template, SPRS score workbook, asset scoping worksheet, and evidence tracker. It is the scoped, scored, scheduled, and moving path in one set, for contractors who need the full readiness package rather than a single document.
Frequently asked questions
What is a POA&M in CMMC?
A Plan of Action and Milestones is the documented, time-bound plan, defined under 32 CFR 170.21, to close security requirements scored NOT MET during a CMMC assessment. It lets an organization reach a Conditional CMMC Status rather than failing, but a requirement on a POA&M is still scored NOT MET until it is closed.
What can go on a CMMC POA&M?
Only requirements worth 1 point under the CMMC Scoring Methodology (32 CFR 170.24). Every 3-point and 5-point requirement must be MET before the assessment. The one exception is SC.L2-3.13.11 (CUI Encryption), which may be deferred at a 3-point cost if encryption is in use but not yet FIPS-validated.
What requirements cannot go on a CMMC POA&M?
Beyond every 3-point and 5-point requirement, 32 CFR 170.21(a)(2)(iii) names six that are barred outright: AC.L2-3.1.20 External Connections, AC.L2-3.1.22 Control Public Information, CA.L2-3.12.4 System Security Plan, PE.L2-3.10.3 Escort Visitors, PE.L2-3.10.4 Physical Access Logs, and PE.L2-3.10.5 Manage Physical Access.
What score do you need to use a POA&M for CMMC Level 2?
At least 88 of 110. Under 32 CFR 170.21(a)(2)(i), your assessment score divided by the total Level 2 requirements must be 0.8 or higher. Since a perfect score is 110, your deductions cannot exceed 22 points, which caps the gaps you can carry.
How long do you have to close a CMMC POA&M?
180 days from the Conditional CMMC Status Date, under 32 CFR 170.21(b). The closure must be confirmed by a POA&M closeout assessment, performed by an authorized or accredited C3PAO for a Level 2 certification. If it is not closed in time, the Conditional CMMC Status expires.
Is a POA&M the same as an Operational Plan of Action?
No. Under the CMMC Final Rule a POA&M is the post-assessment list of NOT MET items subject to the 180-day closeout. The Operational Plan of Action, used in CA.L2-3.12.2, is the ongoing artifact that tracks temporary deficiencies between assessments and carries no 180-day remediation clock.