For years, the Plan of Action & Milestones (the POA&M) functioned as the compliance industry's pressure valve. A contractor couldn't meet a control? No problem. Document the gap, write a plan to fix it someday, submit your SPRS score as if the control were implemented, and move on. The DoD knew contractors were doing this. Everyone knew. And for a long time, nothing happened.
That era is over.
What Changed
The CMMC final rule and the updated DFARS clause introduced structural changes to how POA&Ms work, with changes designed to close the gap between what contractors claim and what they actually have in place.
The most significant change: POA&Ms now carry a hard 180-day closure deadline. If you receive a contract award with open POA&M items, you have 180 days to close every one of them. Miss that deadline and your certification is revoked. A revoked certification means you can't perform on the contract and potentially can't bid on new ones.
The old playbook was: document the gap, defer indefinitely, renew the POA&M each year. That is no longer an option. The 180-day clock starts at award and does not pause.
Controls That Can't Be Deferred At All
Certain high-risk controls cannot go on a POA&M under any circumstances. These must be implemented before an assessment begins. Not planned, not in progress, actually done. The two most notable:
Multi-Factor Authentication (MFA)
MFA for all accounts with access to CUI systems is a pre-assessment requirement. If it's not implemented when the assessor arrives, the assessment fails on that control with no path to defer. There is no "we're rolling it out" option.
Encryption of CUI
Encryption at rest and in transit for CUI is similarly non-deferrable. Unencrypted CUI is an automatic finding with no POA&M pathway.
Level 1 Contracts: Zero POA&Ms
For CMMC Level 1 contracts (the basic tier covering Federal Contract Information), there are no POA&Ms at all. You either meet all 17 practices or you don't attest. The POA&M mechanism doesn't exist at Level 1. This catches a lot of small contractors off guard, particularly those who assumed Level 1 was a low bar with plenty of flexibility.
What This Means for Your Timeline
The practical implication of all of this is that the window between "start working on compliance" and "ready for assessment" is longer than most contractors assume, and the penalties for gaps discovered late are more severe than they used to be.
A gap assessment tells you exactly which controls you have, which you don't, and which ones fall into the non-deferrable category that require remediation before any assessment can begin. That information determines your real timeline. Not the optimistic one, the actual one.