Introduction

Most teams build their CMMC timeline assuming they can fix gaps after the assessment. The POA&M rules in 32 CFR 170.21 don’t allow it for 63 of 110 controls.

The reason: only controls valued at 1 point under the CMMC Scoring Methodology are POA&M-eligible. Every 3-point and 5-point control must be fully met before an assessor scores them – whether it’s a self-assessment under 170.16 or a C3PAO certification under 170.17.

This post breaks down exactly which controls are non-POA&M-able, why six specific 1-point controls are excluded by name, how the scoring margin works, and the one encryption exception worth knowing.

The Six Excluded Controls That Block Certification

Beyond the 3-point and 5-point controls, six specific 1-point controls are explicitly excluded from POA&M eligibility under 32 CFR 170.21(a)(2)(iii)(A)-(F). These look low-risk on paper – each carries only 1 point in the scoring methodology but missing any one of them blocks conditional certification entirely:

AC.L2-3.1.20 – External Connections: Verify and control/limit connections to and use of external systems (CUI Data)

AC.L2-3.1.22 – Control Public Information: Control CUI posted or processed on publicly accessible systems (CUI Data)

CA.L2-3.12.4 – System Security Plan: Develop, document, and periodically update system security plans

PE.L2-3.10.3 – Escort Visitors: Escort visitors and monitor visitor activity (CUI Data)

PE.L2-3.10.4 – Physical Access Logs: Maintain audit logs of physical access (CUI Data)

PE.L2-3.10.5 – Manage Physical Access: Control and manage physical access devices (CUI Data)

These six controls carry only 1 point each in the scoring methodology, which makes them look low-risk on paper. But missing any one of them blocks conditional certification entirely. There is no remediation path.

CA.L2-3.12.4 (System Security Plan) is the one that trips up teams most often. Without a complete SSP, the assessment cannot proceed – it’s a prerequisite, not just a scored control.

Scoring, Margins, and the Encryption Exception

Even if all your gaps fall within the 47 POA&M-eligible controls, the margin is tight.

Since only 1-point controls are POA&M-eligible, each gap on your POA&M costs exactly 1 point. To qualify for conditional Level 2 status, your score must be at least 88 out of 110. That’s the 0.8 threshold specified in 32 CFR 170.21(a)(2)(i). It gives you a maximum margin of 22 points.

There is one exception worth understanding. SC.L2-3.13.11 (CUI Encryption) is a 5-point control, which would normally make it non-POA&M-able. However, 32 CFR 170.21(a)(2)(ii) carves out a specific exception: if encryption is employed but is not FIPS-validated, this control can be included on a POA&M at a cost of 3 points instead of 5.

This matters for your margin calculation. If SC.L2-3.13.11 is on your POA&M, it consumes 3 of your 22 available points, leaving room for only 19 additional 1-point gaps. If no encryption is in place at all, the exception does not apply and that single gap blocks your entire certification.

These rules apply to both assessment paths. Whether you’re conducting a self-assessment or a C3PAO certification assessment, the POA&M eligibility criteria, the 88-point threshold, and the 180-day closeout window are identical.

Mapping Gaps Before Assessment Day

The gap most organizations face isn’t capability. It’s awareness. Teams don’t map their open items to point values until the assessment is underway, and by then the math is already done.

Here’s what practitioners should do before assessment day:

1. Score every control: Map all 110 NIST SP 800-171 Rev. 2 controls against the CMMC Scoring Methodology in 32 CFR 170.24. Know which are 1-point, 3-point, and 5-point.
2. Separate the non-negotiables: The 63 non-POA&M-able controls must be fully met. There is no conditional path for any of them (with the narrow SC.L2-3.13.11 exception). If you have gaps in any 3-point or 5-point control, or in any of the six excluded 1-point controls, those must be closed before the assessment.
3. Calculate your margin: If your remaining gaps are all in POA&M-eligible 1-point controls, count them. If the total exceeds 22 (or 19 with the encryption exception), you won’t meet the 88-point threshold.
4. Verify your SSP: CA.L2-3.12.4 is the most common blocker. A complete System Security Plan is a prerequisite for the assessment to proceed.

The POA&M closeout timeline adds urgency. Under 32 CFR 170.21(b), every open item must be closed within 180 days of the Conditional CMMC Status Date, confirmed by a closeout assessment. For C3PAO certifications, that closeout must be performed by an authorized C3PAO. For self-assessments, the organization performs its own closeout.

Conclusion

The POA&M rules under 32 CFR 170.21 are precise, public, and non-negotiable. 63 of 110 controls must be met at assessment. Every open item has a 180-day clock.

Assessment day shouldn’t be the first time your team does the POA&M math. Score your controls now. Close the 63 non-negotiables first. Then plan your POA&M around what’s left.

If your team needs help mapping controls to the scoring methodology and identifying non-POA&M-able gaps, visit qmulos.com.

References:

• 32 CFR 170.21 — Plan of Action and Milestones requirements: ecfr.gov/current/title-32/section-170.21
• 32 CFR 170.24 — CMMC Scoring Methodology: ecfr.gov/current/title-32/section-170.24
• 32 CFR 170.16 — Level 2 self-assessment requirements: ecfr.gov/current/title-32/section-170.16
• 32 CFR 170.17 — Level 2 certification assessment requirements: ecfr.gov/current/title-32/section-170.17
• CMMC Assessment Guide Level 2 v2.13: dodcio.defense.gov/…/AssessmentGuideL2v2.pdf
• Hive Systems — POA&M Pitfalls: hivesystems.com/blog/poam-pitfalls
• CUI Institute — Requirements POA&M’able Under 32 CFR 170: cmmcinfo.org/poamable-requirements