Why Do You Need A POAM After Performing A Gap Analysis?

Although performing a gap analysis is crucial to meet Cybersecurity Maturity Model Certification (CMMC 2.0) requirements, it is not the only essential requirement before your formal assessment. Another, perhaps equally important part of the compliance process is developing a plan of action and milestones.

Commonly referred to as either a POAM or POA&M, this document spells out exactly how and when you plan to fix the security defects found during your gap analysis. It also identifies the personnel responsible for correcting the security vulnerability.

Without a POAM, your compliance process would grind to an abrupt halt since it essentially forms the basis for your targeted compliance efforts and ultimately, your CMMC assessment.

In this article, we’ll discuss which companies within the Defense Industrial Base (DIB) are required to create a POAM to meet CMMC 2.0 compliance. We’ll also provide best practice guidelines for what to include in a POAM.

With this information, you’ll have a better understanding of what a POAM is and how establishing one is a critical step in your compliance journey that cannot be overlooked.

What Is A POAM?

A POAM is a written document that lays out your strategy to fix identified security flaws to safeguard the controlled unclassified information (CUI) within your environment.

Although attributes listed in a POAM can vary, some common components of a POAM can include:

• identifies the control number, title, and description
• lists the required CMMC level of the security control
• identifies the date the defect was first discovered
• labels the type of defect (administrative or technical)
• gives a point value for each defect
• assigns the staff member responsible for remediating the defect
• provides an estimated time frame to fix each defect

It’s important to keep in mind that a POAM does not apply across the board to all DIB organizations.

The requirement is only applicable to contractors that require CMMC Level 2 and Level 3 and store, process, or transmit CUI in the course of carrying out their contracts, or they are subcontractors with CUI flow-down from their primes.

Related Article: 5 Questions To Pinpoint Your Required CMMC Level

To be clear, the POAM requirement applies to all Level 2 businesses, regardless of whether they need to undergo a self-assessment or an independent, third-party audit (unless, of course, the company has zero defects—a rarity).

POAMs are not allowed for CMMC 2.0 Level 1 businesses because Level 1 organizations are expected to put in place foundational security controls aligned with the Federal Acquisition Regulation (FAR) clause 52.204-21.

That said, Level 2 and Level 3 businesses are only allowed to include non-critical security requirements in their POAMs. Failure to correct critical security requirements will result in an automatic audit failure. In addition, no outstanding Level 1 security flaws are permitted.

How Do POAMs Work In The CMMC Certification Process?

After the gap analysis is performed, a final report on the findings will likely be a lengthy document full of technical language. Most SMBs will likely be uncertain how to properly digest the information or know what steps to take next.

A POAM helps break down the gap analysis, allowing organizations to turn those security flaws into actionable priorities.

Each identified security defect is scored on a point system for Level 2 assessments, based on the 110 security requirements of NIST SP 800-171. The maximum score is 110, indicating that all security requirements were met; points are deducted for each unmet requirement.

Related Article: What’s The Difference Between An SPRS Score & A CMMC Score?

Businesses can submit their Supplier Performance Risk System (SPRS) score after completing a preliminary, internal self-assessment to get a baseline for their current security posture against the needed CMMC cybersecurity controls.

During the official audit, however, Level 2 and Level 3 primes and their subcontractors must achieve an CMMC audit score of 88 or higher (at least 80 percent of the 110 NIST 800-171 security requirements) in order to become CMMC certified.

What Are The Two Types Of POAMs?

It’s important to understand the two kinds of POAMs: CMMC/C3PAO POAM and a gap analysis POAM and the differences between them.

Broadly speaking, if a POAM is generated before a C3PAO assessment, it’s mainly used to help meet compliance with all 110 requirements. If it’s generated after obtaining a Level 2 or Level 3 certification, it is used to help maintain compliance. 

Gap Analysis POAM

Essentially, a gap analysis POAM done before the formal audit is used to gauge your current compliance status to get a clear picture of where your security measures fall short of the CMMC 2.0 standards.

It gives you time to implement the right cybersecurity controls to satisfy those requirements, with no specific deadline to do so.

Perhaps most importantly, a gap analysis POAM promotes accountability among key stakeholders within your organization for fixing any remaining defects.

Without direct ownership, most organizations don’t know what specific changes will need to be made to satisfy CMMC compliance, but the POAM makes that clear. Organizations can assign an internal team member who will be responsible for fixing specific defects and reporting back on how and when the issues were resolved.

In this way, the gap analysis POAM becomes a document that can be used throughout your organization, from company executives who may need to make a personnel change to ensure proper CUI protection, to low-tier engineers who may need to make a technical change to satisfy a requirement.

While this type of POAM would mainly be used internally among your team, it can also be used during your formal C3PAO audit as evidence that your organization performs regular self-assessments for ongoing compliance.

Remember, organizations at all three CMMC levels must annually self-attest to continued CMMC compliance (during the years when a formal assessment is not performed for levels 2 and 3).

C3PAO POAM 

This type of POAM is generated during your official CMMC audit by the C3PAO your Level 2 organization hires to conduct it. Its findings determine whether or not you get certified.

Related Article: How To Find An Approved C3PAO For Your CMMC Level 2 Assessment

Level 3 organizations, which handle highly sensitive CUI related to national security and infrastructure, must first meet Level 2 compliance, including undergoing a C3PAO audit. They must also get audited by federal assessors through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

A C3PAO POAM sets certain parameters and restrictions, including the type of security flaws that can and cannot be included in it.

If allowable security flaws are identified in the POAM during the C3PAO audit, then your organization is awarded a conditional certification if you meet at least 80 percent compliance (equal to a score of 88 or higher).

Then, you must create a closeout POAM listing the defects and disclosing when and how you plan to close those security gaps within a 180-day window.  

Conditional certification allows you to keep your existing contracts while you correct the security vulnerabilities. Contractors and subcontractors must schedule a closeout POAM and get re-assessed on those specific defects within that six-month period.

It’s important to know that if an organization doesn’t fix all of the security defects listed in the closeout POAM within the required time period, then the conditional certification would expire.

This could lead to the loss of current contracts or disqualification from being eligible to bid on future contracts.

It also means that organizations in this position would have to start the certification process all over again—costing additional time and money.

Related Article: How Can CT Manufacturers Qualify For A $35K CMMC Readiness CAP Grant?

The Bottom Line: POAMs Are Critical To Becoming CMMC Compliant

Language for the CMMC 2.0 Final Rule has already started appearing in certain high-priority contracts.

The adoption of the final 48 CFR rule, anticipated by November 2025, would mandate that language for the CMMC 2.0 requirements be included in DoD contracts and solicitations moving forward. 

A POAM provides a clear roadmap toward meeting compliance. Without it, you will not be able to become CMMC certified.

Now that you’ve read this article, you have a better idea of how a POAM fits into the CMMC compliance process and why it’s essential to becoming CMMC certified.

Only you can decide if you have the internal resources you need to independently develop a POAM following your gap analysis. Our experience has shown that companies that are successful at developing a POAM using internal staff typically have the following characteristics:

• a large enough internal IT team to allow several team members to pull away for an extended period to hyper-focus on the POAM without impacting your internal IT operations and support
  
  
• in-house certified cybersecurity experts with prior cybersecurity compliance experience

If your company doesn’t fit the above criteria, working with an outside consultant may offer advantages by avoiding common mistakes that could compound the time and cost involved in reaching compliance.

If you decide to explore options for external IT support, we encourage you to compare several providers so that you find one that is the right fit for your organization.

While there is a commitment of time, energy, and resources involved in using an external IT services provider to create your POAM, the value added is immeasurable. Your organization will have a clear plan of action to move forward with confidence in your compliance journey.

This can ensure that you can get compliant, retain your good standing with the DoD, and be positioned to win more contracts. 

Kelser has helped businesses like yours become compliant with a number of standards and frameworks over the years, including NIST, CMMC, and HIPAA. Our experienced staff can offer expert guidance to help you navigate the complex compliance process.

Use the button below to book your free, no-obligation CMMC readiness consultation to jumpstart your compliance journey.