20 pre-populated example findings across common control families. Adapt these rows for your environment, add new rows for your open gaps, and use this as the working document your C3PAO auditor will review.
A Plan of Action & Milestones (POA&M) is a formal document that identifies tasks needed to correct deficiencies noted during an assessment, remediate vulnerabilities in a system, and reduce risk to organizational operations and assets. In the CMMC context, your POA&M is a living artifact reviewed by your C3PAO auditor — it demonstrates that you have identified all open gaps, assigned ownership, and committed to concrete remediation milestones.
| POA&M ID | Req ID | Requirement | Family | Points at Risk | Weakness Description | Sched. Completion | Milestones | Resources Required | Status | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| POA-001 | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | IA | 5 pts | MFA is not enforced for standard (non-privileged) user VPN and cloud application logins. Privileged accounts have MFA via Duo, but the policy is not applied consistently to all remote access sessions. Approximately 42 accounts affected. | 2026-07-31 |
|
IT Admin (1.0 FTE); Microsoft 365 E3 licenses already provisioned | In Progress | 5-pt req — must close before C3PAO assessment |
| POA-002 | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices | AC | 5 pts | Several shared service accounts exist on the ERP system and file shares with generic credentials (e.g., "admin," "svcaccount"). These accounts are used by multiple individuals, preventing individual accountability. No documented justification for shared accounts exists. | 2026-06-30 |
|
IT Admin (0.5 FTE); PAM tool license (CyberArk or equivalent, ~$8k/yr) | Open | 5-pt req. Shared accounts also violate 3.3.2 (individual accountability) |
| POA-003 | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities are identified | RA | 5 pts | No formal vulnerability scanning program is in place. Ad-hoc scans were run once approximately 18 months ago using a trial license of Nessus. Results were not formally tracked or remediated. No scanning schedule or policy exists. | 2026-08-31 |
|
Tenable.io license (~$12k/yr); IT Admin (0.5 FTE); Security Manager (0.25 FTE) | Open | 5-pt req — must close before assessment |
| POA-004 | 3.13.11 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI | SC | 5 pts | Windows endpoints are not in FIPS mode. BitLocker encryption is enabled but group policy has not enforced FIPS-compliant algorithms (AES-256). Several legacy servers running Windows Server 2012 R2 use TLS 1.0/1.1 for internal API communication. OpenSSL versions on Linux hosts are not confirmed FIPS-validated. | 2026-09-30 |
|
IT Admin (0.5 FTE); potential hardware refresh for end-of-life systems (~$30k estimate) | Open | 5-pt req — legacy systems may need out-of-scope designation as workaround |
| POA-005 | 3.13.16 | Protect CUI at rest | SC | 5 pts | CUI stored in the shared engineering file server (\\ENGFILE01) is not encrypted at rest. Drive-level BitLocker is absent on the file server. CUI stored in a SharePoint site is in a tenant without Azure Information Protection labels or encryption enforcement. | 2026-08-15 |
|
IT Admin (0.5 FTE); Microsoft Purview/AIP license (included in M365 E3) | In Progress | BitLocker on file server in progress; SharePoint configuration not started |
| POA-006 | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems | CM | 5 pts | No current, maintained hardware or software asset inventory exists. The most recent inventory was an informal spreadsheet last updated 14 months ago. No CMDB or endpoint management tool (SCCM, Intune) is in use. Network devices are not inventoried. Approximately 87 workstations, 14 servers, and 23 network devices are estimated to be in scope. | 2026-07-31 |
|
IT Admin (0.5 FTE); Microsoft Intune license (included in M365 E3); network scanning tool | Open | Also required for 3.4.2 baseline configuration management |
| POA-007 | 3.3.1 | Create and retain system audit logs to enable monitoring, analysis, investigation, and reporting of unlawful activity | AU | 5 pts | Audit logging is enabled on workstations via Windows Event Log but logs are not centrally collected, retained, or monitored. Log retention on local systems is approximately 7 days before overwrite. No SIEM or log aggregation platform is deployed. Server audit logging is inconsistent — 6 of 14 servers have logging disabled or at minimal verbosity. | 2026-09-30 |
|
IT Admin (0.5 FTE); Security Analyst (0.25 FTE); SIEM license ($15–25k/yr depending on platform) | Open | 5-pt req. Microsoft Sentinel preferred given existing M365 footprint |
| POA-008 | 3.6.1 | Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and user response activities | IR | 5 pts | No formal incident response plan (IRP) exists. Security events are handled ad-hoc by the IT administrator. There is no documented escalation path, no defined severity classification, no contact list for reporting to CISA or DIBNet, and no tabletop exercise has been conducted. The organization has had one potential CUI spillage in the past two years with no formal after-action review. | 2026-07-15 |
|
External consultant (IRP development, $5–8k); Security Manager (0.25 FTE); IT Admin (0.1 FTE) | Open | 5-pt req. DIBNet reporting registration also required for 3.6.2 |
| POA-009 | 3.12.4 | Develop, document, and periodically update system security plans | CA | 5 pts | An SSP exists but was last updated in 2022 and does not reflect current network architecture, cloud environment, or personnel. The document has no defined review cycle. Control implementation statements are incomplete for approximately 40% of requirements. System boundary diagrams are absent. | 2026-06-30 |
|
Security Manager (0.5 FTE); IT Admin (0.25 FTE); GRC consultant optional ($10–15k) | In Progress | 5-pt req — highest priority alongside IRP and MFA |
| POA-010 | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts | AC | 5 pts | Domain Administrator rights are assigned to 11 user accounts including 4 standard users who historically received elevated access for convenience. No formal privileged access review process exists. Local administrator rights on workstations are granted to all users by default. No PAM solution is in use. | 2026-07-31 |
|
IT Admin (0.5 FTE); Microsoft LAPS (free); PAM tool if shared accounts not resolved via POA-002 | Open | 5-pt req. Removing local admin will require user change management communications |
| POA-011 | 3.14.2 | Provide protection from malicious code at appropriate locations within organizational systems | SI | 5 pts | Endpoint protection is deployed on workstations but coverage is incomplete: 3 file servers and 2 jump hosts have no endpoint security agent. Two BYOD endpoints used to access CUI have no organization-managed AV. Malware protection is not deployed at network boundary (no gateway AV or email sandboxing). | 2026-06-30 |
|
IT Admin (0.25 FTE); Defender for Endpoint licenses (M365 E3 included); Defender for O365 Plan 1 (~$2/user/mo) | In Progress | 5-pt req — server deployment in progress |
| POA-012 | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created | IA | 3 pts | Active Directory password policy requires only 8-character minimum with no complexity enforcement. NIST SP 800-63B and CMMC require 12-character minimum for environments without MFA on all accounts. The cloud application (Salesforce) used by the contracts team has no SSO integration and allows 6-character passwords. | 2026-06-15 |
|
IT Admin (0.1 FTE); no additional licensing required | Open | 3-pt req. Can be addressed in parallel with MFA rollout (POA-001) |
| POA-013 | 3.4.6 | Employ the principle of least functionality by configuring systems to provide only essential capabilities | CM | 3 pts | Default Windows features are enabled on endpoints including IIS, Remote Registry, Telnet Client, and SMBv1. No hardening standard (CIS Benchmark Level 1 or DISA STIG) has been applied to endpoints or servers. Unnecessary services run on file servers including Print Spooler, Fax Service, and XPS Document Writer. | 2026-08-31 |
|
IT Admin (0.5 FTE); CIS-CAT Pro tool (~$2k/yr) optional for validation | Open | 3-pt req. Hardening GPO development should not break line-of-business applications — test first |
| POA-014 | 3.2.2 | Ensure that personnel are trained to carry out their assigned information security responsibilities | AT | 3 pts | No role-based security training program exists. General security awareness training was last conducted in 2023 and covered only phishing. IT staff have not completed training on incident response, access control administration, or CUI handling procedures. New hire security onboarding lacks any security component. | 2026-07-31 |
|
HR (0.1 FTE); Security Manager (0.1 FTE); training platform (~$4k/yr) | Open | 3-pt req. Phishing simulation should also be included per 3.2.3 |
| POA-015 | 3.8.3 | Sanitize or destroy system media before disposal or reuse | MP | 5 pts | No formal media sanitization policy or procedure exists. Retired hard drives and SSDs are stored in a closet pending disposal — no sanitization has been performed. Three workstations retired last year were transferred to an employee for personal use without drive wiping. No chain-of-custody records exist for any media disposal. | 2026-06-30 |
|
Security Manager (0.1 FTE); media destruction vendor (~$500 one-time + $50/drive ongoing) | Open | 5-pt req. Employee-transferred systems may require recovery and sanitization if CUI was present |
| POA-016 | 3.13.6 | Deny network communications traffic by default and allow by exception (deny all, permit by exception) | SC | 3 pts | The perimeter firewall runs with implicit deny on inbound but outbound traffic is allowed by default with no restriction. Internal network segments are flat — workstations, servers, and IoT/printer devices share the same /16 subnet with no segmentation. No east-west traffic controls exist between engineering and administrative systems. | 2026-09-30 |
|
IT Admin (0.5 FTE); Network Admin (contract, 40 hrs); firewall/switch hardware if needed (~$15k estimate) | Open | 3-pt req. Network redesign is highest-effort item — schedule dependencies with POA-013 |
| POA-017 | 3.10.1 | Limit physical access to organizational systems, equipment, and operating environments to authorized individuals | PE | 5 pts | The server room is accessible via a standard key shared among 9 employees with no access log. The key has not been re-keyed in over 3 years. No badge reader or electronic access control is in place. Visitor escorting procedures are not documented or consistently followed on the production floor where CUI workstations are located. | 2026-07-31 |
|
Facilities Manager (0.1 FTE); badge reader hardware/install (~$3k); Security Manager (0.1 FTE) | Open | 5-pt req. Badge reader procurement underway |
| POA-018 | 3.1.12 | Monitor and control remote access sessions | AC | 3 pts | Remote access is provided via a legacy SSL VPN (Cisco AnyConnect) but session monitoring is not configured. VPN logs are not retained beyond 30 days and are not reviewed. No session recording is in place for privileged remote sessions. There is no alerting on anomalous remote access patterns (off-hours, unusual geolocation). | 2026-08-15 |
|
IT Admin (0.25 FTE); dependent on SIEM deployment (POA-007) | Deferred | 3-pt req. Blocked on SIEM deployment; will close concurrently with POA-007 |
| POA-019 | 3.9.2 | Ensure CUI is protected during and after personnel actions such as terminations and transfers | PS | 5 pts | No formal offboarding procedure exists for IT access revocation. A review of Active Directory found 6 accounts belonging to former employees still active, including one account with Domain User rights that was last logged into 4 months ago by an unknown session. CUI file share permissions for departed employees were not reviewed during offboarding. | 2026-05-31 |
|
IT Admin (0.1 FTE); HR (0.1 FTE); possible security investigation if unauthorized access confirmed | In Progress | 5-pt req. Anomalous login may require IR (POA-008) engagement — escalate to ISSO |
| POA-020 | 3.13.7 | Prevent remote devices from simultaneously connecting to the system and to other resources (split tunneling) | SC | 3 pts | The Cisco AnyConnect VPN is configured with split tunneling enabled, allowing remote users to simultaneously access organizational systems and uncontrolled internet resources without the latter traffic traversing organizational security controls. This creates a vector for exfiltration and malware introduction that bypasses perimeter defenses. | 2026-07-15 |
|
IT Admin (0.1 FTE); internet bandwidth upgrade may be required (~$500/mo additional) | Open | 3-pt req. Bandwidth impact assessment critical before full rollout |
Maintaining your POA&M: Update this document at least monthly. Each time a milestone is completed, update the milestone status and date. When all milestones for a finding are closed and evidence is collected, change the row status to "Closed" and record the actual close date in the Notes column. Your C3PAO auditor will verify that evidence of closure exists for every item marked Closed — document everything.
Deferred items: A "Deferred" status indicates a dependency on another item or a business decision to delay remediation. Deferred items that involve 5-point requirements must be resolved before your assessment date regardless of the dependency. Deferred 3-point items may require a risk acceptance statement from an authorizing official.