What is the POA&M Process for Final CMMC Certification?

If an Organization Seeking Certification (OSC) has met most, but not all, security requirements, it may be eligible for a Conditional Certificate of CMMC Status. This is possible if the unmet requirements are documented on an existing and valid POA&M that complies with the regulations in 32 CFR §170.21. However, if an OSC has unmet security requirements and a valid POA&M is not attainable, the C3PAO will recommend that no certificate be issued. 

The details of how POA&Ms work are documented in 32 CFR 170. 

The POA&M Close-Out Process 

Phase 4 of the CMMC assessment process is dedicated to issuing certificates and closing out any existing POA&Ms. 

Key aspects of the POA&M close-out process include: 

• Engaging a C3PAO: An OSC with a CONDITIONAL Level 2 Certificate of CMMC Status can hire an authorized or accredited C3PAO to conduct the POA&M close-out assessment and close out its POA&M(s). The OSC is not required to use the same C3PAO that conducted the initial assessment and issued the conditional certificate. The C3PAO hired for the close-out assumes responsibility for the FINAL CMMC Status determination. 

• Conflict of Interest Review: Before starting the POA&M close-out, the C3PAO must conduct and document a conflict-of-interest review. 

• Procedural Requirements: The C3PAO must follow the procedures for closing out a POA&M as established in 32 CFR part 170.17(a)(1)(ii)(B). 

• Quality Assurance (QA): A quality assurance individual, who must be a CMMC Certified Assessor (CCA), is required to review the POA&M close-out assessment upon its completion. This individual cannot have been a member of the assessment team that conducted the POA&M close-out. The QA review must check for the accuracy and completeness of the evaluation and ensure it conforms to required reporting formats. 

• Reporting and Communication: 

• While not required, the assessment team may offer the OSC a POA&M Out-Brief Meeting. 

• The C3PAO must communicate the results of the POA&M close-out to the OSC in writing, along with the next administrative steps. 

• Uploading to CMMC eMASS: After the close-out and QA review are complete, the C3PAO must submit the results to CMMC eMASS. 

• Issuing a Final Certificate: If the POA&M was closed out satisfactorily, the C3PAO will then issue a FINAL Level 2 Certificate of CMMC Status to the OSC. This issuance follows the same procedures as the initial certificate generation, including using standardized templates, requiring a signature from an Authorized Certifying Official, and uploading the final certificate to CMMC eMASS. 

Note: All POA&Ms must be closed out within 180 days of the Conditional CMMC Status Date to achieve Final Status, or the conditional status will expire.  

Appeals Process for POA&M Close-Out 

If an OSC disputes the findings of the CMMC Assessment Team during the POA&M close-out, it has the right to appeal. The appeals process for a POA&M close-out is identical in process and timelines to the one for a full assessment, except that the controlling appeals process is that of the C3PAO that conducted the POA&M close-out. 

Schedule your free consultation today.

About AXIOTROP, LLC:    

Ready to start your CMMC journey? Begin by identifying your cybersecurity gaps and building a tailored remediation plan and budget. AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses, so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.