CA.L2-3.12.2 requires organizations subject to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 to develop, implement, and maintain Plans of Action and Milestones (POA&Ms) that track deficiencies, remediation tasks, resources, and completion dates for controls that are not yet fully implemented; this post gives a practical, step‑by‑step approach with small‑business examples, technical fields to include, prioritization methods, and compliance tips so you can produce auditable POA&Ms that support your System Security Plan (SSP) and overall compliance program.
Step-by-step implementation: build the POA&M
Begin with a complete inventory and assessment: run vulnerability scans (Nessus/Qualys), review SSP control gaps, and interview system owners to identify deficiencies; for each finding create a POA&M entry with a unique ID and the following fields—control reference (CA.L2-3.12.2 / NIST 3.12.2), short description, CUI impact statement, root cause, risk rating (see prioritization paragraph), remediation action, interim mitigation, milestones (start, target, and actual completion dates), responsible owner, required resources (person-hours and cost estimate), status, and evidence artifacts (ticket numbers, change requests, screenshots, config files). Document version and last update date for each POA&M row so reviewers can see history.
Prioritize, schedule, and estimate technical work
Use a simple risk scoring model combining CVSS (for technical vulnerabilities) with business impact: Score = (CVSS base score / 10) * impact multiplier (1 low, 2 medium, 3 high for CUI exposure or critical business function). Classify remediation as Immediate (score > 2.0), Scheduled (1.0–2.0), or Deferred (<1.0) and set milestones accordingly. For technical remediations provide specific actions: e.g., "Apply MSKB-XXXX patch to Windows Server 2016 (host names srv-web01/srv-db01) using WSUS/Intune; test on staging; deploy in maintenance window; verify registry HKLM\Software\Vendor\Setting = 0". Include rollback steps and estimated windows (hours) and required approvals (change board ticket). Small teams can estimate resource needs in person-days and map to budget lines (labor vs. third‑party remediation costs).
Real-world small business scenarios and sample POA&M entries
Example 1: Missing MFA for cloud admin accounts — Description: "No multi‑factor authentication for Azure AD Global Admins (affects CUI access)"; Remediation: "Enable Azure AD Conditional Access enforcing MFA for Global Admins; implement hardware tokens for privileged accounts"; Interim Mitigation: "Limit admin access to corporate IPs via conditional access; enable privileged identity alerting"; Resources: 1 IT engineer, 8 hours; Target completion: 30 days. Example 2: Unpatched Linux web server with Apache CVE — Description: "Apache mod_ssl vulnerability CVE‑YYYY‑NNNN"; Remediation: "Apply vendor patch and rotate TLS keys; validate with vulnerability scanner"; Interim Mitigation: "WAF rule to block exploit patterns and network ACL to restrict traffic"; Resources: 2 person-days, $0–$500. Example 3: Unsupported Windows 7 workstation used to process invoices — Description: "Unsupported OS with known exposures"; Remediation: "Migrate user to Windows 10 image, validate business app compatibility, decommission old hardware"; Interim Mitigation: "Network segmentation and host firewall rules; limit internet access"; Resources: 6 person-days, potential $800 hardware cost. Include these as discrete POA&M rows you can track to closure.
Tools, evidence tracking, and technical integration
Small businesses can start with an Excel/Google Sheets POA&M containing the fields above, but scale to a ticketing/GRC tool as needed: create linked tickets in JIRA/ServiceNow for each remediation and store the ticket URL in the POA&M. Integrate vulnerability scanners to auto‑populate findings and CVSS scores; use patch management logs (WSUS/SCCM/Intune) or configuration management output (Ansible/Chef) as evidence. For each completed milestone attach proof: change request number, deployment runbook, signed test results, and screenshots of configuration settings. Maintain a monthly POA&M status report that includes percent complete, delinquent tasks, and top 5 highest risk items for leadership review.
Best practices and compliance tips
Tie every POA&M item back to your SSP control statement and reference the originating assessment (audit, scan, or interview). Keep POA&M entries realistic—auditors expect achievable dates and resource plans; overly optimistic timelines reduce credibility. Document decision rationale for deferred items and get formal risk acceptance from an authorizing official for any items pushed out beyond standard timeframes. Use change control to link remediation to production changes and maintain a remediation backlog prioritized by risk. Schedule a recurring monthly review with stakeholders, and prepare a summary for any external assessors showing progress and evidence links.
Risks of not implementing a POA&M
Failing to implement and maintain POA&Ms exposes you to multiple risks: the organization may fail CMMC/NIST assessments and lose eligibility for DoD contracts, known vulnerabilities will remain exploitable increasing the likelihood of CUI exposure and data breaches, and incident response will be slower because remediation status is unknown. Operationally, undocumented deficiencies cause technical debt, increase mean time to remediate, and lead to repeated audit findings. From a business perspective, noncompliance risks contract penalties, loss of customer trust, and higher insurance or remediation costs after a breach.
Summary: Build your POA&M starting with a thorough assessment, then populate structured entries with control references, technical remediation steps, resource estimates, milestones, and evidence links; prioritize by risk using CVSS and business impact, track work in ticketing/GRC tools, conduct monthly governance reviews, and ensure POA&Ms are approved and tied to your SSP—doing so reduces audit risk, improves remediation velocity, and protects CUI while keeping your small business competitive for government contracts.
