StacksVerified U.S. regulatory reference

32 CFR §170.21

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)POA&M. For purposes of achieving a Conditional CMMC Status, an OSA is only permitted to have a POA&M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:
    1. (1)Level 1 self-assessment. A POA&M is not permitted at any time for Level 1 self-assessments.
    2. (2)Level 2 self-assessment and Level 2 certification assessment. An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:
      1. (i)The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;
      2. (ii)None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and
      3. (iii)None of the following security requirements are included in the POA&M:
        1. (A)AC.L2-3.1.20 External Connections (CUI Data).
        2. (B)AC.L2-3.1.22 Control Public Information (CUI Data).
        3. (C)CA.L2-3.12.4 System Security Plan.
        4. (D)PE.L2-3.10.3 Escort Visitors (CUI Data).
        5. (E)PE.L2-3.10.4 Physical Access Logs (CUI Data).
        6. (F)PE.L2-3.10.5 Manage Physical Access (CUI Data).
    3. (3)Level 3 certification assessment. An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met:
      1. (i)The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and
      2. (ii)The POA&M does not include any of following security requirements:
        1. (A)IR.L3-3.6.1e Security Operations Center.
        2. (B)IR.L3-3.6.2e Cyber Incident Response Team.
        3. (C)RA.L3-3.11.1e Threat-Informed Risk Assessment.
        4. (D)RA.L3-3.11.6e Supply Chain Risk Response.
        5. (E)RA.L3-3.11.7e Supply Chain Risk Plan.
        6. (F)RA.L3-3.11.4e Security Solution Rationale.
        7. (G)SI.L3-3.14.3e Specialized Asset Security.
  2. (b)POA&M closeout assessment. A POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.
    1. (1)Level 2 self-assessment. For a Level 2 self-assessment, the POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.
    2. (2)Level 2 certification assessment. For Level 2 certification assessment, the POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.
    3. (3)Level 3 certification assessment. For Level 3 certification assessment, DCMA DIBCAC will perform the POA&M closeout certification assessment.