CMMC POA&M Conditional Status 180-Day Closeout DFARS 252.204-7021 // 7 MIN READ

CMMC POA&Ms

What Can Be Deferred, the 180-Day Closeout Rule, and Conditional Status

A CMMC POA&M is not a general deferral mechanism. It is a narrowly defined, time-limited instrument — allowing only organizations with minor, eligible deficiencies to achieve provisional certification while remediating under a strict 180-day countdown.

Under DFARS 252.204-7021, a POA&M "identifies tasks to be accomplished, details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates." In CMMC, that means a documented remediation commitment — not a wishlist, not a workaround, and not a substitute for genuine compliance.

POA&Ms are not a safety net. They are a precisely bounded instrument for minor deficiencies in organizations that are otherwise substantially compliant. Two gates must be cleared before a single item can be deferred.

Quick-Reference: The POA&M If/Then Rules

ConditionResult
IF → Organization scores below 88/110Assessment fails — no POA&M, no Conditional Status
IF → Any 5-point control is NOT METCannot use POA&M — assessment fails on that control
IF → Score ≥ 88/110 and all failures are eligible controlsConditional CMMC Status granted — 180-day clock starts
IF → Conditional Status is grantedPOA&M closeout assessment must be completed within 180 days
IF → Closeout assessment passes within 180 daysStatus upgrades to Final CMMC — valid for 3 years
IF → Closeout is not completed within 180 daysConditional Status expires — must restart full assessment

The Two Eligibility Gates

Two conditions must both be met before any POA&M is possible:

Gate 1 — Score Threshold

Minimum SPRS Score: 88 of 110

Below that threshold, there is no Conditional Status and no POA&M — only a failed assessment. This is approximately 80% of the total possible score.

Gate 2 — 5-Point Controls

All 5-Point Controls Must Be Fully Implemented

FIPS cryptography, MFA, access control enforcement. A 5-point failure cannot be deferred. It disqualifies the entire assessment.

Step 01Does the organization meet the minimum SPRS score? (88 of 110 controls)
YES ✓ — Proceed to Step 2
Score is at or above the 88-point threshold. Five-point controls must still all be confirmed implemented.
NO ✗ — Assessment Fails
No POA&M. No Conditional Status. Remediate and reschedule the full assessment.
Step 02Is the failed control a 5-point critical control?
YES ✗ — Cannot Defer
Assessment fails on this control. Must be fully remediated before re-assessment.
NO ✓ — Proceed to Step 3
Not a 5-point control. Continue evaluating eligibility.
Step 03Is the control on the list of non-deferrable 1-point CUI controls?
YES ✗ — Cannot Defer
This specific 1-point control must be fully implemented. No POA&M eligible.
NO ✓ — POA&M Accepted
Conditional CMMC Status granted. 180-day clock starts from this date.
⏱ Conditional Status — 180-Day Countdown Begins

The interim certificate is issued. CMMC UID recorded in SPRS. Every deferred item must be closed and verified before Day 180 — no exceptions.

What Can and Cannot Go on a CMMC POA&M

Control / Practice TypeWeightPOA&M?Notes
Any 5-point control (FIPS encryption, MFA, access control enforcement) 5 pts NO Must be fully implemented before the assessment begins. A 5-point failure disqualifies the assessment.
Select 3-point controls — partially implemented 3 pts LIMITED Only if partially implemented (not fully absent). Assessors evaluate whether "partially implemented" genuinely applies.
Most 1-point controls — minor configuration gaps 1 pt YES* Eligible if score ≥ 88/110. Specific excluded 1-point CUI controls are not eligible regardless of weight.
Excluded 1-point CUI controls (DoD-specified list) 1 pt NO Even though weighted at 1 point, certain controls are explicitly excluded from POA&M deferral by DoD.
Any control that produces a score below 88/110 Varies NO Even eligible control types cannot be POA&M'd if the total score drops below the minimum threshold.

* "YES" means the control type is eligible — not that any specific failure is automatically POA&M-able. Assessors evaluate each failure individually.

The 180-Day Closeout Rule — Absolute and Unforgiving

Once Conditional Status is granted, a 180-day clock starts from the Conditional CMMC Status Date. The POA&M closeout assessment must be completed and every item verified closed within that window. There are no extensions, no partial-close provisions, and no exceptions.

If the 180-day deadline passes with any POA&M item still open, Conditional Status expires. The CMMC UID in SPRS no longer reflects a compliant status. The organization must restart the full assessment process.

Day 0
Initial Assessment
C3PAO submits results. Interim certificate issued. CMMC UID recorded in SPRS. 180-day clock begins. All POA&M items formally documented.
Days 1–150
Remediation Phase
Work the plan. Fix eligible deficiencies — policy updates, configuration adjustments. Do not call the C3PAO back until every item is verified closed. Buffer time is not optional.
Day ~160
Closeout Assessment
Engage C3PAO only when all items are verified closed. Assessor evaluates POA&M items only. Any open item restarts the remediation clock while Day 180 continues approaching.
Day 180
The Deadline
All items must be verified closed. No extensions. No partial credit. Two possible outcomes:
✓ All Items Closed — Clean POA&M uploaded to eMASS. Cyber AB notified. Status upgrades to Final CMMC. 3-year certification clock begins.
OR
✗ Items Remain Open — Conditional Status expires. Certificate null and void. No extensions. Full assessment restart required.
The 180-day clock runs from the Conditional CMMC Status Date — not from the day you finish remediation or the day the C3PAO schedules the closeout visit.

Closeout Planning Essentials

  • 01Know your score before assessment day. Internal pre-assessment reviews should classify every gap: must fix now (5-point / excluded), eligible for POA&M, or already implemented.
  • 02Reserve POA&M for small, fast, certain fixes. Policy updates and configuration adjustments are appropriate. Network re-architecture and vendor replacements are not.
  • 03Schedule the closeout assessment with buffer time. Complete remediation by day 140–150. Book the C3PAO for day 155–165. Leave margin for evidence questions.
  • 04Do not call the C3PAO back until all items are verified closed. Any item found open during the closeout visit restarts the remediation clock while the 180-day deadline continues running.
  • 05The eMASS update is the finish line. When the assessor uploads a clean POA&M to eMASS, the Cyber AB is notified and Final CMMC Status is confirmed. Your 3-year certification clock begins.

Frequently Asked Questions

What is a POA&M in CMMC?
A Plan of Action and Milestones (POA&M) is a formal document identifying specific deficiencies, the actions required to remediate them, resources needed, milestones, and scheduled completion dates. In CMMC, it is the instrument that enables Conditional Status for eligible minor deficiencies.
What is Conditional CMMC Status?
Conditional CMMC Status is a temporary certification issued when an organization meets the score threshold (88/110) and all 5-point controls, but has minor deferred items on an active POA&M. It is valid only during the 180-day remediation window.
What is a POA&M closeout assessment?
A targeted re-assessment by a C3PAO that evaluates only the deferred POA&M items. It must be completed within 180 days of the Conditional CMMC Status Date. All items must be verified closed for the status to upgrade to Final.
Is the 180-day deadline strict?
Yes — it is absolute. The 180-day window runs from the Conditional CMMC Status Date. There are no extensions, no grace periods, and no partial-close provisions.
What happens if you do not close the POA&M in 180 days?
Conditional Status expires. The CMMC UID in SPRS no longer reflects a compliant status. The organization must restart the full C3PAO assessment process from the beginning.
Can a different C3PAO conduct the closeout assessment?
Yes. While using the original C3PAO is operationally simpler, a different accredited C3PAO may conduct the POA&M closeout assessment.

The Bottom Line

Know your score before assessment day. Implement all 5-point controls before the assessor arrives. Reserve the POA&M for minor, genuinely closeable items. Schedule the closeout with buffer. Verify every item is closed before calling the C3PAO back.

Follow that sequence and the 180-day window is a reasonable runway. Ignore it — or mistake the POA&M for a general deferral mechanism — and it becomes a countdown to a failed certification and a full assessment restart.

Related Articles

The CMMC Assessment Process (CAP): Phases and OutputseMASS vs SPRS: What Gets Submitted WhereCMMC Attestation Risk: False Claims ExposureCMMC Scoring: Met vs Not Met and Assessment ObjectivesCMMC Readiness Review: What to Finish Before Hiring a C3PAO