POA&M for NIST 800-171, anatomy of a defensible plan of action

A prime contractor’s compliance team usually reads the Plan of Action and Milestones before reading the System Security Plan. The SSP describes the program in narrative; the POA&M describes the gaps the program has not yet closed. When the gap inventory is candid, specific and clearly owned, the SSP that follows carries more weight. When the POA&M is vague or perpetually slipping, the SSP looks aspirational regardless of how well-written it is.

This post covers what a defensible POA&M contains, the failure modes that get programs flagged in prime review and how to build one that holds up.

What a POA&M actually is

A Plan of Action and Milestones is the document tracking every NIST 800-171 control that is not fully implemented, with the remediation plan for each. The NIST 800-171 program treats the POA&M as a peer document to the SSP, not an appendix. The two together describe the program: the SSP for what is in place, the POA&M for what is in flight.

POA&M obligations show up explicitly in:

• The DoD Assessment Methodology, which requires that any control not contributing the full point value be recorded in a POA&M with a target completion date.
• DFARS 252.204-7012 and 7019, which reference the System Security Plan and the POA&M together as the documentation set the contractor maintains.
• CMMC Level 2 assessment guidance, which permits a limited number of POA&M items to be open at assessment time with hard completion deadlines.

Outside the DoD specifically, federal civilian agencies that flow down NIST 800-171 through agency-specific clauses generally inherit the same POA&M expectation. The artifact is universal.

The anatomy of a single POA&M entry

A defensible entry contains, at minimum, these fields:

• Control identifier: the NIST 800-171 control reference (for example, 3.1.5 or AC.L2-3.1.5 for CMMC alignment).
• Finding statement: a specific description of the current state. Not “weak” or “needs improvement”. What is actually deficient and where.
• Remediation action: the concrete work that will close the finding. Generic language (“implement controls”) is a failure pattern.
• Owner: a single named individual. Role-only owners (“IT”) rarely produce closed items.
• Milestone dates: at least one intermediate milestone and a final completion date. Both are real dates, not quarter labels.
• Resource estimate: tool spend, hours, external assessor time. Helps prioritization and produces an honest budget conversation.
• Dependencies: other POA&M items that must close first.
• Status: open, in-progress with milestone date, closed with evidence reference.
• Evidence on close: the document, configuration, screenshot or log sample that proves the control is operating. Stored centrally; referenced from the closed POA&M entry.

A POA&M without these fields is a list of intentions. A POA&M with these fields is a document a reviewer can actually use.

Common failure modes

Three patterns produce most prime-contractor and assessor concerns:

Perpetual extensions. A milestone slips by two months. The next review slips it again. The next review slips it again. After 18 months the same finding has been open with rolling milestones the whole time. Reviewers read this as: the firm does not actually intend to close this finding. The defensible alternative when a milestone slips is to update the entry with the reason for slip and a re-estimated completion date that the team intends to honor.

Vague language. “Improve access control” is not a remediation action. “Implement role-based access on the CAD repository with documented role-to-permission mapping reviewed quarterly” is. The specificity is the point: the entry should be specific enough that any subsequent staff member could pick up the work without context.

Role-only ownership. “IT” or “Security” or “the MSP” are not POA&M owners. The named individual who will close the item by the milestone date is the owner. When ownership rotates, the entry updates. When the named owner has too many items to credibly close, that is a resource constraint to surface, not paper over with role labels.

A fourth pattern, less common but worth flagging: POA&Ms that never close. Programs go through phases where items genuinely take longer than expected. But over 12 months, a healthy POA&M should show a mix of closed items, in-progress items and new findings surfaced by ongoing assessment. A POA&M that never moves is a POA&M nobody is working.

How to build the initial POA&M

The starting point is the gap assessment from the boundary scoping work. Every control in NIST 800-171 falls into one of four states for the assessed environment:

• Fully implemented. Document the implementation in the SSP. No POA&M entry.
• Partially implemented. POA&M entry covering the gap with milestone to full implementation.
• Not implemented. POA&M entry covering the build from zero.
• Not applicable. Document the justification in the SSP. No POA&M entry.

For a firm starting from a -50 SPRS score, the initial POA&M typically lands at 25-40 entries. That is a workable number. Programs with 100+ POA&M entries are usually conflating sub-tasks with findings; consolidate to one entry per control with the sub-tasks as milestones within the entry.

Sequencing matters as much as the entries themselves. The first items to schedule should be the controls that block other items. Centralized logging (AU family) is a prerequisite for the audit-review obligations in several other families. MFA enforcement (IA family) is a prerequisite for some Access Control items. The System Security Plan itself is a prerequisite for the Security Assessment family. Open these foundational items in the first 30 days even if completion is later.

The maintenance cadence

A POA&M is a living document, not a one-time deliverable. The minimum cadence:

• Monthly review with named owners. Status updates on each open entry. Closed items move with their evidence references. New findings from ongoing assessment land as new entries.
• Quarterly re-baseline against the current SSP. If the environment has changed (new system, new SaaS, expanded boundary), the POA&M reflects the new scope.
• Annual full assessment producing a refreshed gap list. Some items closed in the prior year may have regressed; surface them.
• Re-submit the SPRS score when meaningful changes land, not on a calendar. A POA&M with significant closure since last submission usually warrants a new score.

Programs that treat the POA&M as a once-a-year artifact build documentation drift. Programs that treat it as a monthly operational artifact stay defensible.

The reviewer’s lens

When a prime contractor’s compliance team or a CMMC assessor opens a POA&M, they are looking for three things:

1. Coverage: every gap from the SSP shows up here, with no obvious omissions.
2. Specificity: each entry is concrete enough to be acted on without additional context.
3. Momentum: the document shows closure over time, with reasonable slip when slip happens.

A POA&M that looks like a working document with closed items, dated milestones and named owners reads well. A POA&M that looks like a template populated once and never touched reads poorly. The presentation effort is small; the underlying discipline is what shows through.

Where this fits

The POA&M is the connective tissue between the gap assessment, the SSP, the SPRS score and the eventual CMMC assessment if applicable. Our SPRS score post covers the scoring methodology that the POA&M supports. Our NIST 800-171 Readiness Guide walks through the full program the POA&M sits inside.

Atticus Rowan applies NIST 800-171 as a control reference and builds the POA&M as the operational document driving the readiness work. We do not perform formal CMMC certification assessments; when a client needs one, we coordinate with a certified C3PAO. The POA&M we build is the document the assessor reads first.

If your firm has a POA&M that has not been touched in the last 90 days, or has never built one and the prime is asking, schedule a discovery call. We can audit what exists and produce the document the next reviewer will actually be able to use.