3.12.2 — Track Every Gap

What It Says

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

What It Actually Means

Every known security gap — from self-assessments, vulnerability scans, incident lessons learned, or third-party audits — must be tracked in a Plan of Action & Milestones (POA&M). Each entry needs: the deficiency, the responsible owner, specific remediation steps, milestones, target completion date, and resource allocation. The POA&M is a living document reviewed regularly. An empty POA&M is suspicious — every organization has gaps.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are deficiencies and vulnerabilities identified?	Documented gaps from assessments, scans, and audits
2	Is a plan of action developed?	POA&M with entries for each gap: owner, steps, milestones, target date
3	Is the plan implemented?	Evidence of remediation progress: closed items, updated milestones, active work

What to Have Ready on Assessment Day

Documents they’ll review: Security assessment policy; POA&M with open and closed items; evidence of remediation; milestone tracking records; system security plan

People they’ll talk to: Personnel with security assessment responsibilities; information security personnel; management with oversight

Live demos they’ll ask for: “Show me your POA&M. How many open items?” “Pick one — who owns it? What’s the target date?” “Show me items closed in the past six months.”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“Show me your POA&M. How many open items?”
“Pick an item — who owns it? What’s the target date?”
“Show me items that have been closed. How were they verified?”
“How often is the POA&M reviewed?”
“Are there any overdue items? What’s the plan?”

A defense contractor maintains a POA&M spreadsheet reviewed monthly by the IT Security Lead and quarterly by the CEO. Currently 8 open items: two from the annual self-assessment (MFA enforcement for a legacy application — target Q2; insider threat training module update — target Q1), three from vulnerability scans (medium-severity findings with 90-day remediation windows), and three from the last tabletop exercise. Each entry has: finding description, severity, owner name, remediation steps, milestones, target date, and current status. Five items have been closed in the past six months — each with closure evidence (configuration screenshot, scan showing resolution). The assessor reviews the POA&M, checks that entries have owners and target dates, and verifies closed items.

Where Companies Trip Up

No POA&M. Gaps acknowledged informally but not tracked. Create and maintain a POA&M.

Empty POA&M. Zero entries — either you haven’t looked for gaps or you’re hiding them. Every org has gaps. An empty POA&M is a red flag.

Stale entries. Target dates passed months ago with no updates. Review monthly and update milestones. Overdue items need explanation and revised timelines.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.12.1 — Test Your Controls	Self-assessments generate POA&M entries
3.11.3 — Fix What You Find	Vulnerability remediation tracked via POA&M
3.11.1 — Assess Your Risks	Risk assessment findings feed the POA&M

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

CMMC Practice ID: CA.L2-3.12.2 | SPRS Weight: 3 points | POA&M Eligible: No