On November 10, 2026, a third-party assessment becomes a condition of contract award for defense contractors that handle Controlled Unclassified Information (CUI). Many small businesses are counting on a Plan of Action and Milestones (POA&M) to carry them across the line with a few gaps still open. That works, but only within strict limits, and the limits are where most owners get surprised.
What a conditional certification actually is When a Certified Third-Party Assessment Organization (C3PAO) assesses you against the 110 requirements of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, you can still earn a Conditional CMMC (Cybersecurity Maturity Model Certification) Level 2 status without a perfect score. Two things have to be true. Your score has to be at least 80 percent, which is 88 of the 110 requirements met. And every remaining gap has to be eligible to go on a POA&M. If both hold, you receive Conditional status and a 180-day clock to close the plan and pass a closeout assessment. Miss the 180 days and the conditional status expires.
The part owners miss: only 1-point gaps can be deferred The CMMC scoring methodology weights each requirement at 1, 3, or 5 points based on how much risk it carries. The POA&M rule is blunt: only 1-point requirements are eligible. Anything worth 3 or 5 points must be fully met at the time of assessment. There is exactly one narrow exception. The requirement to encrypt CUI with FIPS-validated cryptography may sit on a POA&M only if encryption is already in place but not yet Federal Information Processing Standards (FIPS) validated. Everything else worth more than a point is pass-or-fail on assessment day.
The controls you have to have working, not planned The 5-point requirements are exactly the ones a small shop is most likely to leave for last. A few that must be operating before your assessor arrives:
- \1
- \1
- \1
- \1
- \1
- \1
If any of these is a 3 or 5-point gap on assessment day, you do not get a conditional pass to fix it later. You fail that requirement, and depending on your total score you may fail the assessment.
Why this changes your timeline, not just your checklist The practical effect is simple. You cannot treat the hard, expensive controls as the ones you will finish during the 180 days. That window is for the small, 1-point items only. The multifactor rollout, the FIPS-validated cryptography, the segmentation, and the monitoring all have to be done and evidenced before the C3PAO shows up. This is why readiness work starts months ahead of an assessment, not weeks. The gap you can defer is the cheap one. The gaps that take real engineering are the ones the rule refuses to let you defer.
What to do now, with the deadline four months out 1. Score yourself honestly against all 110 requirements and record the point weight of every gap. 2. Separate your gaps into two piles: the 1-point items that are POA&M-eligible, and everything worth 3 or 5 points that must be met. 3. Put every 3 and 5-point gap on a hard schedule to be complete and evidenced before your target assessment date. 4. Confirm your encryption is FIPS-validated, not merely present. This single item trips up more small contractors than any other.
A Plan of Action and Milestones is a real tool, but it is a narrow one. It buys you time on the small things and nothing on the big ones. Know which is which before you book the assessment, not after.
Four months to the November 2026 deadline
Adams Cloud helps small defense contractors in San Diego County and beyond get assessment-ready: an honest score against all 110 requirements, a plan that separates what you can defer from what you cannot, and remediation on the controls that must be met. Veteran owned, fast turnaround.
Book a free consultation at https://adamscloudcyber.com