Home β€Ί CMMC FAQs β€Ί Assessments
Assessments β€” Official DoD FAQ

What Is the Difference Between an Operational Plan of Action (OPA) and a POA&M?

πŸ’Ό
Need help developing your OPA or POA&M documentation? Jun Cyber provides CMMC documentation support.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (C-Q9)

An Operational Plan of Action (OPA) documents known risks and planned mitigations during normal operations. A Plan of Action and Milestones (POA&M) is specific to CMMC assessments and documents security requirements that were not fully met at the time of assessment, with a plan to remediate within 180 days.

In-Depth Analysis

OPA vs POA&M: Two Different Documents

These are frequently confused but serve very different purposes in the CMMC ecosystem.

Plan of Action and Milestones (POA&M)

  • Purpose: Documents unmet CMMC requirements at assessment time
  • When used: During and after a CMMC assessment
  • Timeline: Must be closed within 180 days
  • Consequence: Failure to close = loss of CMMC status
  • Scope: Only for non-critical requirements

Operational Plan of Action (OPA)

  • Purpose: Documents ongoing operational risks and mitigations
  • When used: Continuously during normal business operations
  • Timeline: Ongoing β€” no fixed deadline
  • Consequence: Part of good security practice, tracked in your risk management process
  • Scope: Any identified risk, not limited to CMMC requirements

Key Distinction

The OPA is part of your continuous risk management process under CA.L2-3.12.2. It tracks things like planned system upgrades, temporary vulnerabilities during maintenance windows, and known risks with accepted mitigations. The POA&M is a CMMC-specific compliance document with hard deadlines and consequences for non-completion.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

Assessments

Which CMMC Requirements Are Considered Critical and Cannot Be on a POA&M?

β†’ Assessments

What Happens If POA&M Items Are Not Met After Closeout Assessment?

β†’ Scoping

How Do I Properly Handle System Changes While Maintaining CMMC Compliance?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’