CMMC POA&M Rules: Which Controls Qualify, the 180-Day Window, and the 88-Point Minimum

The C3PAO finds 12 gaps, your SPRS score lands at 92, and the assessor hands you a Conditional CMMC Status with a 180-day clock. Which of those 12 gaps can ride on a POA&M and which must close before the assessor leaves the building? Most contractors learn the answer the wrong way — by submitting a POA&M that includes a 5-point control and getting a Not Certified result on day 181. This post walks the eligibility rules, the SPRS math that determines whether you qualify for Conditional Status at all, and the narrow encryption exception that catches the most assessors off guard.

The Three Gates POA&Ms Have to Pass

POA&M eligibility is governed by 32 CFR Part 170 (the CMMC final rule) and the DoD CMMC Assessment Guide for Level 2. Three conditions all have to be true for a finding to be POA&M-eligible:

1. Point value of 1. Under the NIST SP 800-171 Rev 2 scoring methodology used by the DoD, each unimplemented requirement deducts 1, 3, or 5 points based on security impact. Only 1-point findings (limited or indirect impact) qualify. 3-point and 5-point findings must be MET at assessment.
2. Overall score at least 88 of 110. If your aggregate SPRS deductions push you below 88, you receive a Not Certified result regardless of which controls are open. The POA&M pathway only exists for scores between 88 and 109.
3. The finding isn’t on the no-defer list. Even some 1-point findings are excluded by policy — multi-factor authentication and core audit logging are the two assessors flag most often as live-or-fail.

What “1-Point” Means in Practice

The point value of every requirement is fixed in the NIST 800-171 DoD Assessment Methodology. You don’t negotiate it with the C3PAO; they look it up. A few representative 1-point findings that legitimately qualify for a POA&M when your score is at or above 88:

• AC.L2-3.1.10 — session lock after a defined period of inactivity (1 point)
• AT.L2-3.2.3 — insider threat awareness training (1 point)
• AU.L2-3.3.7 — time synchronization across audit log sources (1 point)
• CM.L2-3.4.6 — least functionality (1 point)
• MA.L2-3.7.3 — sanitize equipment before off-site maintenance (1 point)

Compare that to the 5-point findings that consistently disqualify a POA&M: AC.L2-3.1.1 (authorized access control), AC.L2-3.1.20 (external connections), IA.L2-3.5.3 (MFA for privileged accounts and CUI access), SC.L2-3.13.1 (boundary protection), and SI.L2-3.14.1 (flaw remediation). If any of those is NOT MET at assessment, the POA&M door is closed for that finding.

The FIPS Encryption Exception

There is one published exception worth knowing because it catches contractors who deployed encryption but didn’t verify the cryptographic module. SC.L2-3.13.11 requires FIPS-validated cryptography for protecting CUI confidentiality. If you have encryption in place but the module is not on the NIST CMVP validated list, the assessor can mark this finding POA&M-eligible even though it’s a 3-point control — provided encryption itself is operating. Encryption that doesn’t exist at all is not POA&M-eligible; only the validation gap is.

In practice, this exception is narrower than it reads. The assessor has to determine the encryption is actually deployed and functional — not just specified in the SSP. If your SSP names a product but the assessor’s Test phase shows it isn’t enabled on the CUI repositories, that’s a different finding (missing encryption) and the exception doesn’t apply.

Worked Example: Translating 12 Gaps Into a POA&M Decision

Suppose your C3PAO finds the following 12 unmet requirements:

The point deductions: nine 1-point findings (-9), two 3-point findings (-6 total, MP.L2-3.8.5 and SC.L2-3.13.11), and one 5-point finding (-5). The SC.L2-3.13.11 deduction counts toward your SPRS score even though the FIPS exception makes the finding POA&M-eligible — the exception controls eligibility, not score impact. Total deduction = 20. Your SPRS score = 110 - 20 = 90. Since 90 is above 88, you qualify for Conditional Status.

But you can only POA&M the 10 findings marked Yes above. The two NOT-eligible findings (AC.L2-3.1.20 at 5 points and MP.L2-3.8.5 at 3 points) must be remediated before the assessor finalizes the report — or the assessment fails outright. Many C3PAOs allow a brief remediation window during the assessment for findings the contractor can fix on the spot; that window is at the assessor’s discretion, not a right.

If you’re uncertain how your gaps score, our CMMC readiness quiz walks the 14 control families with domain-level questions and produces an estimated SPRS score plus tier-level POA&M-eligibility guidance (Nearly Ready 88–109, Conditional, or Not Certified). It’s a starting point for the gap analysis a C3PAO would do, not a substitute.

The 180-Day Clock Starts at Status Date, Not Assessment Date

Contractors routinely misread this. The 180 days runs from the Conditional CMMC Status Date posted in SPRS — not from the day the assessor walks out, not from the day the report is signed, and not from the day the C3PAO uploads the package to CyberAB. There is typically a 4–8 week gap between the assessment and the Status Date while the C3PAO finalizes documentation. That gap is preparation time, not clock time. Plan remediation timelines off the Status Date once it’s issued.

If you fail to close every POA&M item within 180 days of the Status Date, your Conditional Status expires and you revert to Not Certified. That can affect any contract awarded during the conditional window. There is no extension mechanism for the 180-day window in the current rule; if you need more than 180 days, the gap shouldn’t have been on a POA&M in the first place.

Closure Evidence Standards

The C3PAO that issued the Conditional Status doesn’t re-assess to confirm closure — instead, you submit closure evidence and a senior official affirms the items are met. That affirmation carries False Claims Act exposure if it’s inaccurate. Closure evidence has to meet the same standard as initial assessment evidence: technical artifacts (configurations, logs, screenshots), policy artifacts (approved policies dated within the validity window), and process artifacts (training records, test results). Drafts and informal screenshots don’t count.

A common pattern is for the POA&M to list closure activities but not the closure artifacts. The activities tell the C3PAO what you intend to do; the artifacts tell them you actually did it. Both go in the closure package. The format mirrors the SSP — see our CMMC System Security Plan template for how to organize control-by-control evidence so that closure can be filed without rebuilding the index.

What This Means for Your Gap Analysis

Treat POA&M eligibility as a planning input, not a fallback. Before the C3PAO arrives, sort your remaining gaps by point value and POA&M eligibility, and remediate the 3-point and 5-point items first. Save the 1-point items for either pre-assessment fixes (preferred) or POA&M filings (acceptable). A gap analysis that hasn’t classified gaps by SPRS point value is doing half the job — see our CMMC gap analysis walkthrough for the full sort-and-prioritize process. The SPRS scoring breakdown covers how each control maps to its point value.

If your projected SPRS score is below 88, the POA&M conversation is academic — you don’t qualify for Conditional Status. Focus on getting the score above 88 first, then sort the residual gaps for the POA&M.