CMMC

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

POA&M (federal context)

Plan of Action and Milestones, the formal document tracking each unimplemented or partially implemented security control, the planned remediation, the responsible owner, and the closure date. Under CMMC 2.0, POA&M closure is permitted only for a limited subset of NIST SP 800-171 controls scoring 1 point and only if at least 88 of 110 points are achieved, with all POA&M items closed within 180 days of conditional certification.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.