# CMMC Plan of Action & Milestones > Draft and validate the CMMC POA&M: track control deficiencies, remediation plans, owners, and due dates for Conditional Level 2 or Level 3. Tags: CMMC, CMMC 2.0, NIST, DoD, Compliance, POA&M ## Example Prompts - Create a POA&M for our CMMC Level 2 findings with owners and dates - Validate our POA&M for required fields and ineligible practices - Update our CMMC POA&M with new remediation milestones URL: https://rakenne.app/skills/cmmc-poam/index.md Try this skill: https://rakenne.app/a/?skill=cmmc-poam ## Overview Draft and validate the CMMC POA&M: track control deficiencies, remediation plans, owners, and due dates for Conditional Level 2 or Level 3. ## Getting Started Add your source materials to the project workspace, then activate the *CMMC Plan of Action & Milestones* skill. The agent will guide you through the process step by step. ## Example Conversation > **You:** We have CMMC Level 2 assessment findings and need a POA&M. Three practices failed: 3.5.7 (MFA for non-privileged), 3.8.5 (media sanitization), and 3.11.2 (security assessments). Can you draft the POA&M with owners and dates? > > **Agent:** I'll create a POA&M with one entry per finding. Each item will have: finding (practice ID and title), remediation plan, owner, target completion date, and risk. Note: 3.12.4 (System Security Plan) cannot be on the POA&M for Level 2 — I'll ensure none of your items reference it. > > **Agent:** I've drafted `poam.md` with three items. 3.5.7 — Remediation: Extend MFA to all user accounts per Identification and Authentication policy; Owner: IAM Lead; Target: 30 Apr 2025; Risk: Medium. 3.8.5 — Remediation: Document and implement media sanitization procedure; certify disposal vendor; Owner: IT Operations; Target: 15 May 2025. 3.11.2 — Remediation: Schedule and complete annual security assessment; document scope and findings; Owner: Security Officer; Target: 30 Jun 2025. Should I run the POA&M validator? > > **You:** Yes. > > **Agent:** *[Runs cmmc_poam_validator]* PASS. All items have owner and remediation language; target dates present; no ineligible practice (3.12.4) on the POA&M. ## Sample Output Excerpt Below is a representative excerpt from a CMMC POA&M. --- ### POA&M Items | ID | Practice | Finding | Remediation | Owner | Target date | |----|----------|--------|-------------|-------|-------------| | 1 | 3.5.7 | Multifactor authentication not enforced for non-privileged accounts on Contract App. | Enable MFA for all user logons in Contract App; update I&A policy to require MFA for all in-scope systems. | IAM Lead | 30 Apr 2025 | | 2 | 3.8.5 | Media sanitization procedure not documented; disposal vendor not certified for sanitization. | Document media sanitization procedure; obtain certificate of sanitization from disposal vendor; retain records. | IT Operations | 15 May 2025 | | 3 | 3.11.2 | Annual security assessment not completed for current assessment period. | Complete internal security assessment; document scope, methodology, and findings; update SSP with assessment date. | Security Officer | 30 Jun 2025 | *Practice 3.12.4 (System Security Plan) cannot be on the POA&M for Level 2 certification.* ## Built-in Scripts and Validation The skill includes a validator the agent runs against the POA&M document. ### Validation tools | Tool | Purpose | |------|---------| | **cmmc_poam_validator** | Validates POA&M content for required fields and eligibility. Checks: (1) each item has an owner or responsible party; (2) target or completion date is present; (3) remediation or corrective action language is present; (4) no item references practice 3.12.4 (System Security Plan) — that practice cannot be on the POA&M for Level 2 and must be fully implemented before certification. Returns PASS or FAIL with issues and warnings. Run after each POA&M update. | --- Back to [Skill Library](https://rakenne.app/skills/index.md)