Plans of Action and Milestones (POA&Ms) are the practical backbone for closing security gaps required by NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 control CA.L2-3.12.2 — they document what is broken, who will fix it, how it will be fixed, and when completion will be verified. For small businesses handling Controlled Unclassified Information (CUI), a usable POA&M turns compliance requirements into executable tasks and measurable risk reduction instead of paper compliance.
What CA.L2-3.12.2 requires and the risk of non‑implementation
Control CA.L2-3.12.2 expects organizations to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities. Practically, that means every identified deficiency that cannot be immediately fixed must have a POA&M entry with an owner, scheduled milestones, resources, and verification steps. Failure to maintain POA&Ms increases the risk of successful compromise (unpatched servers, default credentials, missing MFA), jeopardizes contracts with DoD or prime contractors, and can lead to audit findings, contract penalties, or termination.
Step 1 — Identify, assess and prioritize findings
Start from your authoritative vulnerability and assessment sources: internal assessments mapped to the System Security Plan (SSP), automated vulnerability scans (Nessus, Qualys, OpenVAS), penetration test reports, and audit findings. For each finding capture: vulnerability ID (CVE if applicable), affected asset, CVSS score, business impact (CUI exposure), and whether a compensating control exists. Prioritize using a simple matrix (e.g., High = CVSS ≥7 or direct CUI exposure; Medium = CVSS 4–6.9; Low = <4) so POA&M timelines match risk.
Step 2 — Create clear POA&M entries (fields and an example)
Essential POA&M fields
Each POA&M entry should include at minimum: finding ID, short description, root cause, corrective actions, resources required (staff, budget, tools), owner, start date, targeted completion date, milestones (dev/test/prod), verification steps, residual risk, status, and evidence artifacts (change ticket numbers, screenshots, scan results). Example entry for a small business: Finding=“Legacy VPN appliance missing critical patch (CVE-20XX-YYYY)”; Owner=IT Manager; Corrective action=“Replace appliance with AWS Client VPN and configure TLS1.2+, migrate users”; Resources=contractor for migration, budget=$6k; Milestones=procure(2w), configure(1w), test(1w), cutover(2w); Verify=external scan shows no CVE, acceptance test results; Target completion=6 weeks.
Step 3 — Assign owners, realistic timelines and resources
For small organizations, realistic timelines should reflect staff capacity: a single-server patch might be a 1–2 week POA&M (including test), while architectural changes (MFA across SaaS + on-prem) may be 60–120 days. Assign an accountable owner (not just “IT”), allocate at least one named implementer, estimate effort in person-hours, and include budget line items. If internal staff lack skills, plan for third‑party support and list procurement milestones. Tie each POA&M to the SSP and the specific NIST/CMMC requirement it remedies so auditors can verify traceability.
Step 4 — Implement fixes, verify results, and document evidence
When executing, follow change control: schedule maintenance windows, take backups, and test in a staging environment where feasible. Technical verification should include automated rescans (Nessus/Qualys), configuration checks (CIS Benchmarks, RHEL DISA STIGs), and functional tests (user authentication flows after MFA). Capture evidence: signed change request, test results, post-remediation scan with timestamps, and screenshots of configuration. Mark the POA&M entry “complete” only after evidence is archived and an independent reviewer validates the fix.
Step 5 — Track, report and continuously update
Maintain POA&Ms in a central tracking system — for very small shops a controlled spreadsheet (with versioning and access controls) can work; better is a GRC or ticketing system (ServiceNow, Jira, Archer, or a dedicated POA&M tool). Review POA&Ms monthly at a management meeting, update status and re-risk as needed, and produce quarterly reports for leadership and contracting officers if required. Ensure the POA&M lifecycle is reflected in your continuous monitoring processes so new findings create new entries or update existing ones.
Compliance tips and best practices
Keep POA&Ms pragmatic: set realistic completion dates and prioritize based on impact to CUI. Use compensating controls sparingly and document why they are sufficient until a full remediation is feasible (e.g., network segmentation isolating an unpatchable legacy system). Automate evidence collection where possible (scheduled vulnerability scans that produce dated reports), and retain artifacts for the contract-specified period. Finally, map every POA&M back to the SSP section and to the specific NIST/CMMC control so assessors can validate closure quickly.
Summary — building and running POA&Ms is an operational discipline: identify and prioritize findings, create comprehensive entries with owners and timelines, implement and verify remediation with documented evidence, and continuously track progress. For small businesses aiming to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requirements, a pragmatic, risk-based POA&M process reduces exposure, supports audits, and demonstrates to customers and primes that you manage vulnerabilities responsibly.
