.svg){kind=logo}
The week before the C3PAO assessment, a compliance lead and program manager reviewed the System Security Plan. The SPRS score was submitted. The POA&M had eight open items, tracked in a spreadsheet since March. Two were Access Control practices. Three were in the Identification and Authentication family. The feeling in the room: we are close, these are cleanup items, we will handle them after the assessment wraps.
What changes when you understand 32 CFR Part 170 is that those cleanup items are now a formal federal commitment.
The moment Conditional CMMC Status is granted, a 180-day clock starts. A mandatory confirmation assessment gets scheduled. Loss-of-status consequences attach to every open item on that list. The POA&M that entered the room as an internal tracking document has become a live contract with a federal deadline. Most contractors who arrive at assessment with open items have planned for one C3PAO engagement. The 180-day rule means some of them are implicitly committed to two.
This post explains how the Conditional Status threshold works, which practices are and are not eligible for POA&M deferral, and how the 180-day closeout window maps against the contract timeline. Understanding these before the assessment begins changes the shape of the risk.
Conditional CMMC Status is a distinct status category, not a pass with footnotes. It is granted when a contractor completes a C3PAO assessment with open POA&M items, subject to eligibility conditions defined in 32 CFR Section 170.21.
To achieve Conditional Status at CMMC Level 2, your final assessment score must be at least 80% of the maximum possible score. The CMMC scoring methodology in 32 CFR Section 170.24 assigns specific point values to each practice. The maximum possible score is 110 points. A score of at least 88 points is required for Conditional Status. Because practices carry different point values, this is not simply a count of practices passed. A small number of high-weight unmet practices can push a score below 88 points even if most practices are met.
The POA&M closeout assessment must be completed within 180 days of the Conditional CMMC Status Date. That clock runs from the date the C3PAO assessment concluded with Conditional Status granted. Not from contract award. Not from when remediation work begins. Not from when the contracting officer is notified. If the POA&M is not successfully closed within that window, Conditional Status lapses. There is no extension. There is no warning before the deadline passes. There is no grace period.
Most contractors have planned for one C3PAO engagement in their CMMC timeline. The 180-day rule means some of them are carrying an implicit second engagement that they have not scheduled and may not have time to fit inside the closeout window, given current C3PAO scheduling lead times.
This is where a poorly structured POA&M creates risk beyond the score threshold. The 180-day window is only available for items that qualify under 32 CFR Section 170.21.
POA&M-eligible practices are those scored as NOT MET with an assigned point value of 1 under the CMMC Scoring Methodology in 32 CFR Section 170.24. There is one named exception: SC.L2-3.13.11 (CUI Encryption) may be included on a POA&M despite its higher point value. Every other higher-weight practice must be fully met at the time of assessment. It cannot be deferred.
Return to the compliance lead's spreadsheet. Two Access Control practices are listed as in progress. Several Access Control and Identification and Authentication practices from NIST SP 800-171 Rev 2 carry point values above 1. An unmet practice at that weight is not POA&M-eligible. It must be met before the assessment concludes or the assessment does not produce a passing result. A contractor who lists those practices as open items and expects to carry them forward is working from a misread of 32 CFR Section 170.21.
A 220-person defense services firm entered C3PAO assessment in June 2025 with nine open items. Seven were eligible for POA&M deferral. Two were Access Control practices with point values above 1. Those two had been listed as in progress in the SSP for months. The assessment flagged them as NOT MET. Because those practices were not POA&M-eligible, the assessment did not produce Conditional Status. It produced a final score below the 88-point threshold. A full reassessment was required.
The contractor lost six months and had to rebook from the back of the queue. That outcome was visible in the POA&M structure weeks before the C3PAO walked in. A pre-assessment evidence review would have flagged the two ineligible items and prompted remediation before the assessment began. The gap between 'we will handle it after' and 'we should have handled it before' was four C3PAO billing weeks and a scheduling queue re-entry.
A POA&M that cannot answer yes to all three on every open item is carrying risk that has not been priced into the planning.
A contractor who completes this review before the assessment begins arrives with a POA&M that contains only eligible items, each with a built evidence package and a remediation milestone that fits comfortably inside the 180-day window. The C3PAO assessor will confirm what the pre-assessment review already established. The 180-day clock starts on firm ground, not on open questions.
The contractors who miss this step do not usually discover the problem during the assessment. They discover it afterward, when the closeout assessment is scheduled and the evidence package for an item that was supposed to be almost done turns out to be incomplete. By then, the 180-day clock is already running.
If the POA&M closeout assessment is not completed within 180 days of the Conditional CMMC Status Date, Conditional Status lapses. There is no extension and no warning before the deadline. A contractor who loses Conditional Status must restart the C3PAO assessment process to re-establish CMMC Level 2 eligibility, which creates direct contract risk under DFARS 252.204-7021 for contracts requiring that certification level.
Per 32 CFR Section 170.21 and the CMMC Scoring Methodology in Section 170.24, POA&M deferral is limited to practices with an assigned point value of 1. The sole named exception is SC.L2-3.13.11 (CUI Encryption). Higher-weight practices, including many in the Access Control and Identification and Authentication families from NIST SP 800-171 Rev 2, must be fully met at the time of assessment. They cannot be listed as open items and carried forward.
The clock starts at the Conditional CMMC Status Date, which is the date the C3PAO assessment concluded with Conditional Status granted. It does not start at contract award and does not start when remediation work begins. Contractors who plan remediation timelines around contract milestones rather than the assessment date frequently discover they have less runway than expected.
No. The POA&M closeout for a CMMC Level 2 certification path requires a formal C3PAO-conducted assessment confirming that every open item has been resolved. Internal documentation and self-attestation do not satisfy this requirement. The closeout is subject to C3PAO scheduling availability, which is why booking the closeout slot should happen before the initial assessment concludes, not after.
For contractors with five or more open POA&M items, a pre-assessment evidence review should begin at least 90 days before the scheduled C3PAO assessment date. This allows time to identify ineligible items, build missing evidence artifacts, and adjust remediation milestones before the assessment clock starts.
The pre-assessment POA&M review belongs 90 days before the C3PAO walks in, not the week after they leave. InterSec's pre-assessment reviews run the eligibility check on every open POA&M item, flag the practices that must be closed before assessment day, and build the evidence packages for items that will carry into the 180-day closeout window.
Contact InterSec to schedule a pre-assessment POA&M review before your C3PAO engagement.
Expert Cybersecurity Solutions for Federal, State and Commercial Organizations
