Army POA&M Requirements: What Defense Contractors Need to Know About DoD-Specific Compliance
Defense contractors working with the Army operate under Plan of Action and Milestones (POA&M) obligations that differ materially from civilian agency programs.
A weighted scoring methodology is applied; POA&Ms must be closed out within 180 days, and recent Department of Justice (DOJ) enforcement actions under the False Claims Act (FCA) show that inaccurate compliance claims can lead to damages and lost contracts.
These rules affect contract eligibility, assessment outcomes, and legal exposure.
Key Takeaways
- Army POA&M limits. The Cybersecurity Maturity Model Certification (CMMC) program rules state that POA&Ms may remain open for no more than 180 days after receiving conditional CMMC status.
- Overlapping Department of Defense (DoD) frameworks. The Risk Management Framework (RMF), CMMC, Defense Federal Acquisition Regulation Supplement (DFARS) clauses, and the Supplier Performance Risk System (SPRS) each impose distinct requirements that often overlap.
- FCA exposure matters. DOJ enforcement actions in 2025 reached $8.4 million in one settlement, and a whistleblower received $851,000 in another case involving an inflated SPRS score.
- FedRAMP narrows scope. FedRAMP High is accepted at Impact Level 4 (IL4) without reassessment of common and common-eligible controls, thereby reducing the residual assessment scope.
Army POA&M compliance requires accurate recording, governance, and closeout of unmet requirements in accordance with DoD-specific rules.
An Army POA&M Records Unmet Security Requirements and the Plan to Remediate Them
A DoD POA&M is the formal document that lists each unmet security requirement, along with the remediation plan, required resources, milestone dates, and current status.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Control CA-5, mandates the development and maintenance of a POA&M across all federal information systems.
DoD authorization components include:
- POA&M
- System Security Plan (SSP)
- Security Assessment Report (SAR)
- Risk Assessment Report (RAR)
- Authorization Decision Document
POA&M obligations persist through continuous monitoring throughout the system lifecycle.
Army POA&Ms Operate Under DoD Frameworks That Civilian Programs Do Not Use
The rules governing a contractor's POA&M depend on which DoD regime applies. Most contractors sit under more than one simultaneously. In practice, the same weakness may affect the authorization posture, contract eligibility, assessment scoring, and representations made in SPRS simultaneously.
DoD RMF and eMASS
The DoD Risk Management Framework governs authorization for all DoD information systems and platform Information Technology (IT) systems, and the Army layers component-level rules and an enterprise system of record on top of it. Together, these authorities set how POA&Ms are captured, reviewed, and approved.
- DoDI 8510.01: Department of Defense Instruction codifying the DoD RMF and governing authorization for all DoD information systems and platform IT systems.
- Army Regulation (AR) 25-2 (April 2019): Implements DoDI 8510.01 at the Army component level, mandates the Enterprise Mission Assurance Support Service (eMASS) as the system of record, and covers Army-controlled IT operated by contractors on behalf of the Army.
- eMASS business rules: Require all non-compliant controls to have an associated POA&M item and have severity values assigned before a package can advance past the Security Control Assessor.
- Authorizing Official (AO) constraint: The AO is blocked from granting a full Authority to Operate (ATO) if any control carries a residual risk level of High or Very High.
- AR 25-2 restriction: An ATO with conditions at High or Very High risk requires concurrence from the Army CIO/G-6.
These overlapping authorities mean that a single POA&M entry can be reviewed against DoD-wide, Army-wide, and system-of-record rules simultaneously.
NIST 800-171 and DFARS 252.204-7021
NIST SP 800-171 defines the safeguarding baseline for Controlled Unclassified Information (CUI), and two DFARS clauses translate that baseline into contractual obligations. Together, they cover how controls are implemented, how incidents are reported, and how compliance is affirmed.
- NIST SP 800-171: Defines the CUI safeguarding baseline that contractors must implement on covered information systems.
- DFARS 252.204-7012: Requires implementation of NIST SP 800-171 on all covered contractor information systems and mandates 72-hour cyber incident reporting.
- DFARS 252.204-7021: Makes CMMC certification a contractual condition of award and requires a senior company official to submit annual affirmations of continuous compliance in SPRS.
These requirements tie technical implementation, incident reporting, and executive affirmation into one contractual chain.
CMMC and SPRS
CMMC validates a contractor's implementation of NIST SP 800-171, while SPRS records the scores, affirmations, and POA&M status that flow from each assessment. The points below summarize how scoring and status interact.
- CMMC rulemaking: Codified in 32 Code of Federal Regulations CFR Part 170, effective December 16, 2024.
- SPRS role: Records assessment scores, annual affirmations, and POA&M status.
- DoD assessment methodology for Level 2: Scores 110 NIST SP 800-171 Rev2 requirements with weighted point deductions of 1, 3, or 5 points per unmet control.
- Conditional CMMC Status: Requires a minimum SPRS score of 88 out of 110.
- Final CMMC Status: Requires a score of 110/110 MET.
- Ineligible POA&M items: Any ineligible requirement on the POA&M results in No CMMC Status regardless of score.
The combination of weighted scoring and eligibility rules means a single ineligible item can override an otherwise passing score.
Every Army POA&M Documents the Deficiency, Its Remediation Plan, and Its Status
A valid POA&M entry requires specific fields that assessors check for completeness, grouped into three categories. Those categories tie the weakness to the remediation approach and, in turn, to the status evidence that supports scoring and closeout.
Deficiency Identification Fields
Identification fields establish which control is unmet, where it is unmet, and who owns the fix. Assessors use these fields to reconcile the POA&M against the SSP and the assessment scope.
- Unmet control or practice ID: A unique identifier mapped to the specific NIST SP 800-171 requirement (e.g., 3.5.3). A CMMC Unique Identifier in SPRS is assigned at the assessment level after the assessment is affirmed.
- Point value: The 1-, 3-, or 5-point weight per the DoD Assessment Methodology, which determines scoring impact and POA&M eligibility.
- Weakness description: The specific deficiency, written precisely enough to trace to the affected system.
- Affected asset or enclave: The system or boundary where the control is not met, cross-referenced against the SSP system boundary.
- Point of contact: A named individual accountable for correcting the weakness.
Each identification field should match the corresponding entry in the SSP, allowing the assessor to confirm scope alignment.
Remediation and Milestone Fields
Remediation fields define how the weakness will be fixed, what it will take, and when each step will be completed. These fields turn an identified gap into a tracked plan with measurable progress.
- Remediation plan: A specific, actionable description aligned with NIST SP 800-171A assessment objectives. Generic language is rejected.
- Resources required: Funding and personnel necessary to execute remediation.
- Dated milestones: At least two milestones with distinct completion dates.
- Scheduled completion date: Constrained by the requirement to complete the POA&M closeout assessment within 180 days of the Conditional CMMC Status Date under CMMC rules.
Milestones should be granular enough that an assessor can verify progress between status updates rather than only at closeout.
Status and Scoring Fields
Status fields record where each item stands at the time of review and how it affects the SPRS score. These fields support both internal governance and external reporting.
- Current status: Tracked and reported using the organization's defined remediation process and applicable reporting guidance.
- Status date: The date of the most recent status update.
- Effect on the SPRS score: The point deduction the open item produces, and whether the item qualifies for POA&M placement based on its weight.
- Evidence reference: Artifacts attached to support remediation progress, dated and traceable to the specific in-scope system.
Contractors must document a weakness that is actually eligible to remain open under the stricter DoD-specific limits.
DoD POA&M Rules Are Stricter Than Civilian Frameworks on Eligibility, Scoring, and Timelines
The DoD ecosystem applies constraints on POA&M eligibility, scoring, and timelines that civilian agency POA&M frameworks do not match. The points below show where those constraints bite hardest and where recent enforcement has landed.
- No POA&Ms at Level 1. At Level 2, only 1-point controls are eligible, with one exception: SC.L2-3.13.11.
- Conditional CMMC Status requires a minimum assessment score of 88 out of 110.
- 180-day closeout window from Conditional CMMC Status Date.
- Annual affirmation in SPRS by a senior official.
- Six Level 2 controls are not eligible for POA&M placement: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5.
A small recording error can cost a contractor millions in settlements. In one 2025 case, Raytheon and related entities paid $8.4 million in settlements to resolve False Claims Act allegations involving 29 DoD contracts, and in a separate case, a whistleblower received $851,000 after a contractor's self-reported compliance score was found to be inaccurate.
Pre-Assessment Practices That Keep Defense Contractors Compliant and Contract-Eligible
Contractors who avoid POA&M trouble usually follow a consistent readiness path before assessment instead of reacting after it. The practices below align scoping, scoring, documentation, and flowdown into one preparation sequence.
1. Scope the CUI Environment Precisely
CMMC scoping categories state that assets that store, process, or transmit CUI are in scope for a CMMC Level 2 assessment, as are assets that support or protect them. Consolidating CUI into a defined enclave reduces the number of assets requiring full control coverage.
2. Fully Implement High-Impact Controls Before the Assessment
The DoD Assessment Methodology uses weighted deductions, so the controls that drive the largest point losses should be implemented before the assessor arrives. Deficiencies in controls that are ineligible for POA&M placement can result in No CMMC Status instead of a remediable open item.
3. Keep the SSP and the POA&M Reconciled
Every control marked "not implemented" or "partially implemented" in the SSP must have a corresponding POA&M entry, and vice versa. Reconciling both documents before assessment prevents mismatches that assessors routinely flag.
4. Record an Accurate Score and Affirmation in SPRS
Start at 110 and subtract point weights for each unmet control. DFARS 252.204-7021 requires CMMC certification and annual affirmations by a senior company official in SPRS.
5. Attach a Credible, Dated Remediation Plan to Every Open Item
Each item needs specific owners, distinct milestone dates, and documented remediation steps. Update the SSP as each remediation completes so the two records remain aligned through closeout.
6. Flow the Correct Requirements Down to Subcontractors
DFARS 252.204-7021 requires flowdown for subcontracts involving Federal Contract Information (FCI) or CUI. The CMMC flowdown requirement follows the information handled, not the prime's certification level.
Following this readiness path reduces the chance of a deficient POA&M reaching the assessor and the chance of an inflated score reaching SPRS.
A FedRAMP Foundation Reduces the DoD Authorization Lift for Cloud-Based Systems
The January 2025 DoD Cloud Security Requirements Guide (SRG) codifies a FedRAMP+ approach: FedRAMP is the floor, and DoD-specific requirements sit above it.
At IL4, the SRG explicitly provides reciprocity for FedRAMP High authorization, accepting common and common-eligible controls without re-assessment. The residual assessment scope is smaller and focuses on DoD-specific overlay controls, DoD-specific parameter values, and general readiness requirements.
A Software as a Service (SaaS) provider pursuing a DoD Provisional Authorization without FedRAMP authorization faces the full FedRAMP High baseline plus DoD-specific additions, assessed from zero, which typically runs upwards of $3.5 million and 12 to 36 months. A cloud-based service operating without the required authorization may be unable to compete for Army contracts that require IL4 or higher until it obtains the appropriate approval.
Contractors that build their FedRAMP foundation now can address the DoD-specific delta more quickly. Those who wait will face the FedRAMP baseline and the DoD overlay as a single combined compliance project. What if the infrastructure layer were already authorized before Army-specific remediation work begins?
A Strong POA&M Posture Protects Eligibility, Timing, and Enforcement Exposure
Army POA&M compliance depends on precision. Contractors operate within a DoD structure in which eligibility rules, weighted scoring, fixed closeout timelines, and recurring affirmations simultaneously affect contract access and enforcement exposure. For cloud-based providers, a pre-authorized boundary changes the amount of work that must be documented and remediated inside the DoD process.
Knox Systems is a FedRAMP-as-a-Service platform that operates a pre-authorized infrastructure boundary, helping teams achieve authorization in approximately 90 days at 90% lower cost than the traditional path. Its KnoxAI compliance automation engine supports control mapping, documentation generation, and ongoing compliance work while teams focus on the DoD-specific delta.
For teams deciding how to reduce that burden before Army-specific assessments begin, book a meeting.
FAQs About Army POA&M Requirements
What Happens if a Defense Contractor Misses the 180-Day POA&M Closeout Deadline?
The contractor can lose its conditional status for that CMMC level and may no longer be eligible for additional awards tied to it. Restoring eligibility requires obtaining a new status through a new assessment.
How Does a CMMC POA&M Differ From a DFARS 252.204-7012 Plan of Action?
A CMMC POA&M carries a fixed 180-day closeout window and ties directly to conditional status and weighted scoring. A DFARS 252.204-7012 plan of action is framed more broadly around implementing NIST SP 800-171 and does not, on its own, impose the same status-driven deadline.
Are Joint Ventures and Teaming Partners Required to Hold Their Own CMMC Status?
Each legal entity that will store, process, or transmit FCI or CUI in the performance of a contract typically needs its own corresponding CMMC status at the level required by the information it handles. Teaming agreements should specify which entity's environment is in scope and how shared assets are documented under the prime's SSP.
What Records Should a Contractor Retain to Support an SPRS Affirmation?
Contractors should retain dated evidence supporting each control's implementation state at the time of the affirmation, including configuration baselines, screenshots, policy versions, and SSP revisions. Retaining contemporaneous records reduces the burden of reconstructing the basis for an affirmation if it is later questioned in an investigation or audit.
Who Is Personally Liable for the Annual CMMC Affirmation in SPRS?
The affirmation must be made by a senior-level representative of the organization. Because the statement is recurring and tied to compliance representations, inaccurate affirmations can increase FCA exposure for both the individual signing and the company.