POAMS and CMMC
By Sese Bennett
December 19, 2022
The use of POAMs are ubiquitous in the world of cybersecurity. As we get closer to the release of CMMC 2.0, many are wondering about POAMs and their significance in CMMC assessments. Providing a clear answer is difficult, but in this article, we will attempt to shed some light on the expected standards regarding POAMs and CMMC.
The National Institute of Standards and Technologies (NIST) defines a Plan of Action and Milestone (POAM) as “A document for a system that “identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”
POAMs are used across many different groups in an organization including IT, risk management, governance, risk, and compliance. POAM also applies to the CMMC ecosystem, including Organization Seeking Certification (OSC). As OSCs prepare for a CMMC certification assessment, they must consider any existing POAMs that currently have, understand how CMMC 2.0 defines acceptable POAM criteria, and how POAMs impact certification efforts.
How Does CMMC Define POAM?
CMMC defines a POAM as a document to remediate deficiencies and the respective timeframe for doing so. “The POAMs purpose is to identify, assess, prioritize, and monitor the progress of corrective efforts for security weaknesses found in an organization’s programs and systems.” (CAP)
The legitimacy and validity of a prospective POAM will be decided by the Lead Assessor at the time of assessment closeout. The CAP provides a list of criteria that must be included in a credible and effective POA&M
Why are POAMs So important to CMMC?
POA&M’s can make or break an assessment. Understanding a few key requirements will help you navigate the use of POA&M’s during your CMMC assessment. CMMC 2.0 was revised to make accreditation obtainable in situations where certain POA&Ms may be necessary. However, it is important to keep in mind that not all practices will be eligible for a POA&M. According to the CMMC Assessment Plan (CAP) version 1.0 (https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf) the following points must be considered when discussing POA&M’s:
- CMMC will allow conditional use of Plans of Action and Milestones (POA&M) to remediate practices that are not fully or successfully implemented.
- POA&Ms will be strictly time-bound with a validity period of no more than 180 days from the Assessment Final Recommended Findings Briefing (Phase 3).
- POA&Ms will not be allowed for the highest-weighted CMMC requirements (currently understood to be level 5 requirements
- The Department of Defense has established a minimum-score requirement to support Certification.
- The Certified CMMC Assessor will validate the following criteria for an OSC to satisfy the requirements for receiving a CMMC Level 2 Conditional Certification:
- 80% of all CMMC Level L2 practices scored “MET” (Current CMMC L2 scoring would result in 88/110 Practices must be found as “MET”). In addition to that minimum score, “If any, practices on the POA&M Review fail to result in a score of ‘MET’, the Lead Assessor will recommend the OSC NOT be recommended for a CMMC Level 2 Final Certification”.
- All POA&M items must meet the criteria in Appendix K, “CMMC Scoring with DoD Assessment Scoring Methodology” (Appendix K -TBD)
Cybersecurity is an ever-evolving organism and POA&M’s can be expected as new procedures and tools are implemented. CMMC will allow POA&M’s on a conditional basis, however, POA&M’s will not be allowed for the highest-weighted CMMC requirements. Also, to qualify for the POA&M process, a minimum score must be met (88/110 or 80%) and all qualified POA&Ms require remediation within 180 days.
The CMMC 2.0 POAM process makes CMMC Certification far more attainable than the previous model. This allows OSCs to mitigate less severe issues within their CMMC environment and continue their CMMC certification journey.
Other aspects of POAMs are still being finalized. PGS will keep you up to date as these aspects are finalized, but it is safe to say that minor updates and enhancements should be expected until CMMC’s final rulemaking is complete.
Here at Provincia Government Solutions, we believe knowledge is power. We make sure to stay informed regarding all things CMMC and pass this expertise on to you. We are here to help you earn your CMMC 2.0 certification. Your success is our success.
We will continue our CMMC theme with “Am I ready for CMMC”. We will discuss the most important things to consider before diving in to a CMMC assessment.
Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.
Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!
Until then, be safe and stay secure!
Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments, security consulting, or CMMC certification, we have the expertise to help. Contact us at (615) 807-2822 or at email@example.com to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!
Subscribe to our Blog!
Be The First
When New Blog Content is Published
Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified HUBZone small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.