Plans of Action and Milestones, or a POAM, is a “document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones”, as defined by NIST.
When your organization is working towards NIST 800-171 compliance, there may be unmet requirements. A POAM is necessary in order to plan for and complete the necessary remediation.
Read on to learn more about how POAMs fit into CMMC 2.0 and the steps required to develop a POAM.
POAMs and CMMC 2.0
Previously, under the initial CMMC framework, POAMs were not allowed. You either met all requirements or you didn’t. Under the updated CMMC 2.0, POAMs are permitted on a “limited use” basis.
The DoD anticipates a 180-day timeline to resolve a POAM. Additionally, out of the 110 controls of NIST 800-171 & CMMC Level 2, POAMs for the highest-weighted requirements are likely not permitted. This means that almost 40% of requirements in NIST 800-171 and CMMC Level 2 will not be allowed.
Developing A POAM
Usually, organizations will undergo an internal audit or external assessment, like SSE’s Gap Assessment, to identify and document gaps in their compliance.
A POAM will contain the following information:
- The area(s) of non-compliance with NIST 800-171
- The area(s) of the organization responsible for the system or network vulnerability
- The resources needed to solve the vulnerability
- Key project milestones with deadline dates
- The final date for becoming compliant
- The status of the improvement project
The final document will usually be generated in the form of a spreadsheet and should be continuously updated until it has been resolved.
Work With SSE
At SSE, we know these evolving requirements can feel overwhelming. As a Registered Provider Organization with the CMMC Accreditation Board, we are up to speed on the latest changes. As a DoD Contractor ourselves, we have the vetted IT tools, policy templates and assessment services mapped to NIST 800-171 and CMMC requirements to assist businesses on the road to compliance.
Let us demonstrate how we can help in preparing your business. Schedule your complimentary CMMC Readiness Assessment with our team now!
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process
"*" indicates required fields
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.