Are You Ready? Understanding CMMC Controls Prohibited from POA&Ms

What are CMMC Controls Prohibited from POA&Ms?

One of the most critical parts of getting ready for a CMMC Level 2 certification is knowing which security practices must be completely implemented and “MET” at the time of the assessment. Some of these cannot be deferred to a Plan of Action and Milestones (POA&M). In fact, for Level 1 self-assessments, POA&Ms are not permitted at all.

While POA&Ms are allowed under certain circumstances for CMMC Level 2 and 3 certifications, they are only a temporary fix, and organizations have 180 days to correct deficiencies found during the assessment. It is important to note that some security requirements are considered critical and are explicitly barred from being included in a POA&M for a Level 2 certification. Identifying these controls ahead of time is imperative to avoid surprises during your assessment.

Let’s walk through a few specific security requirements that, if part of your CMMC Level 2 scope, must be fully implemented from the start of your assessment. These are non-negotiable and cannot be included in a POA&M per § 170.21 of the 32 CFR CMMC Program final rule.

Access Control (AC)

• AC.L2-3.1.20 – External Connections: You must identify, verify, and govern all connections to external information systems, especially those outside your CMMC assessment scope. This includes:
  • Mapping external connectionsGCC High folks, this DOES include Cross Tenant Collaboration! to and from your systems
  • Documenting the business need for each connection or system interaction
  • Enforcing controls to limit access and usage strictly to authorized systems and users

Controls can include technical safeguards such as login requirements, digital certificates, IP address allow-lists, or secure VPN gateways. These are essential not only for limiting access but for maintaining visibility and auditability across your boundary.

This control goes beyond on the foundational requirement outlined in SC.L1-3.13.1, which focuses broadly on the protection, control and monitoring of system boundaries. At Level 2, this guidance drives a deeper emphasis on understanding and managing where and how information leaves your controlled environment.

By establishing and maintaining this level of governance, you help ensure that your organization doesn’t just meet compliance standards—but builds a posture that aligns with strong, practical cybersecurity practices.

• AC.L2-3.1.22 – Control Public Information: When information is shared publicly, it must be deliberate, reviewed, and approved. You are responsible for controlling what gets posted or processed on publicly accessible systems to ensure Controlled Unclassified Information or other non-public data is never exposed. To maintain and protect sensitive information, follow these guidelines:

  • Designate authorized individuals who are permitted to publish content on public platforms
  • Implement pre-publication review procedures to ensure CUI and proprietary data are not included in public-facing materials
  • Regularly audit publicly accessible content to confirm compliance and detect any unauthorized disclosures
  • Establish rapid response processes to remove content and mitigate risks if CUI is posted in error
  • Maintain an approval trail for all information released on externally facing systems

  The public is not authorized to access CUI or other nonpublic data. Public systems must reflect this boundary clearly. Taking control of your external content is not just about compliance, it is about protecting your customers, your mission, your reputation, and our national security.

Physical Protection (PE)

• PE.L1-3.10.3 – Escort Visitors: Physical access to your organization is a critical security boundary that is often overlooked simply due to the everyday routines and social norms of human interaction. This control requires that all visitors are escorted while on premises and that they are actively monitored. To meet this requirement, you should:

  • Ensure all visitors are clearly identifiable through badges or other visual indicators
  • Escort all visitors at all times, without exception
  • Monitor visitor activity using methods such as security cameras, on-site personnel, inspection of secure areas after visits, and review of visitor logs

  These measures are designed to prevent unauthorized access to sensitive areas and data. More importantly, it must be fully implemented at the time of the assessment. Security starts at your door. Consistent enforcement of visitor escorts and monitoring procedures protects your environment and supports compliance with CMMC Level 2.

• PE.L1-3.10.4 – Physical Access Logs: To meet Level 2, it is imperative that you maintain audit logs of all physical access to sensitive areas including both authorized personnel and visitors. The goal is straightforward, ensure you have a record of everyone who had access to what, when, and why. This includes:

  • Capturing and retaining access records for sensitive spaces
  • Logging all visitor access with records that show entry, exit, and escort details
  • Documenting your logging method. Whether it is electronic, paper, or a hybrid, it should be done consistently and effectively maintained

  Organizations have flexibility in how they keep access logs, but not in the mandate that they must keep them. Just as in PE.L1.3.10.3, this control must be fully implemented. Physical controls are only as strong as the accountability behind them.

• PE.L1-3.10.5 – Manage Physical Access: You are required to identify, control, and manage all physical access devices including keycards, physical keys, biometric systems, and any other tools that are used to grant access to secure areas. To do this, you should:

  • Identify all physical access devices in use across the environment
  • Control and track who has access and under what conditions
  • Manage the lifecycle of access, including revoking access when roles change, employees depart, or risk is identified
  • Maintain and test access controls systems to make sure they work properly
  • Change locks or credentials as needed to respond to organizational changes

  Again, this is a hard requirement for Level 2. It must be fully implemented and operational at the time of your assessment. Managing physical access is more than compliance, it is about maintaining control of your environment and minimizing exposure to both internal and external threats.

How to Ensure You’re Ready

Since these practices cannot be left for remediation on a POA&M for Level 2 certification, ensuring they are fully “MET” prior to your assessment is non-negotiable. To help you prepare, focus on the three assessment methods used by assessors: Examine, Interview, and Test.

1. Examine Documentation

Make sure your policies, procedures, and records are complete, current, and accessible. At a minimum, have documentation for:

• Access control policies and procedures
• Public posting procedures and review logs
• Physical access policies, visitor logs, and audit trails
• Authorized user/device lists
• Control and management of physical access devices
• Controls for external system connections

While a System Security Plan (SSP) isn’t required for a Level 1 self-assessment, it is required for Level 2 certification and serves as a central source for many of these requirements. Keep in mind: CA.L2-3.12.4 (System Security Plan) cannot be on a POA&M.

2. Interview Personnel

Assessors will want to speak with the people doing the work. Make sure key personnel, such as IT admins, security staff, and those responsible for managing public content and physical access, can confidently explain how they follow documented procedures and enforce the required controls day to day.

3. Test / Observe Implementation

Be ready to show your controls in action. This might include:

• Walking through your physical access log or visitor check-in process
• Demonstrating how access badges are issued or revoked
• Reviewing the approval workflow for public information posting
• Showing how connections to external systems are authorized and monitore

Final thoughts

For organizations seeking CMMC Level 2 certification, it is vital to proactively implement and verify that controls such as AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L1-3.10.3, PE.L1-3.10.4, and PE.L1-3.10.5 are fully operational and can be demonstrated during an assessment. Because these specific practices are prohibited from POA&Ms at this level, any deficiencies found would result in a “NOT MET” finding that cannot be remediated via a POA&M, and CMMC at Level 2 would not be achieved. Thorough documentation, knowledgeable personnel, and demonstrable implementation are key to ensuring you are ready.

Documentation matters, people must know their roles, and your controls must work as designed. Let’s make sure you are ready! Don’t wait for an assessor to find the gaps—get ahead of them. If you’re preparing for CMMC Level 2 certification, now is the time to validate your documentation, train your teams, and test your controls.

Need a second set of eyes? Agile IT’s compliance experts can help you assess your readiness, close gaps, and ensure nothing critical is left to chance.

Contact us today to schedule a readiness review or control validation session. Let’s get you across the finish line with confidence.