Defense contractors seeking compliance with CMMC/ NIST 800-171 must have a System Security Plan (SSP) to spell out the technologies, policies and procedures they are implementing to meet the NIST standard. At the same time, they must create Plans of Actions & Milestones (POAMs) to identify and track remediation for  unmet controls in their SSP. 

Note that POAMs are not a loophole out of compliance. They buy you time to meet unmet controls, but in the end, you still need to meet them.

What is a POAM?

Defense contractors must conduct a self-assessment against the 110 NIST 800-17 controls and document their findings in a System Security Plan (SSP). They must also create a POAM for any unmet NIST 800-171 controls, detailing the resources and timeline for achieving compliance.

Current Department of Defense (DoD) regulations, don’t specify a time limit by which the unmet control must be met (aka when the POAM must be closed). But that’s going to change soon under CMMC where it is expected that contractors will have 180 days to close those gaps. More on this below.

POAMs under CMMC

Cybersecurity Maturity Model Certification (CMMC) is expected to begin to appear in defense contracts beginning in early 2025. CMMC imposes restrictions on the use of POAMs to achieve CMMC certification:

• No POAMs will be permitted for defense contractors required to achieve CMMC Level 1. Contractors that handle Controlled Unclassified Information (CUI) and are subject to NIST 800-171 must achieve at least CMMC Level 2. POAMs will be permitted at CMMC Level 2, but only for some one-point controls in NIST 800-171. With one exception, POAMs will not be permitted for any three- or five-point controls—which are some of the hardest requirements to meet.
• Contractors can continue to move forward with the Level 2 certification process only if upon their initial third-party CMMC assessment they: 1) meet at least 80% of all the NIST 800-171 controls (which CMMC Level 2 requirements mirror), and 2) all controls not met upon initial assessment are permitted to be met via POAMs.
• Finally, POAMs will be time-bound under CMMC. Defense contractors will have 180 days to close out their POAMs in their SSP If you don’t meet that deadline, you will have to go back to the drawing board and start the CMMC certification process over. Given that hard deadline, your best bet is to close out as many of your POAMs as possible before contacting a C3PAO (CMMC Third Party Assessment Organization) to conduct your CMMC assessment. Note that it will be up to your C3PAO to approve your use of POAMs to achieve compliance; if you’re too far off target, you may not get that go-ahead.

DoD’s allowance for POAMs is a good-faith admission that getting an organization to compliance takes time and effort. POAMs offer a way for organizations that have achieved most of their compliance objectives to remain competitive for contracts while they finish closing out their last few POAMs. They are not a way out of compliance.

How to write a POAM

To be as effective and useful to a C3PAO as possible,  POAMs should include the following essential elements:

1. Indicate the NIST 800-171 control to which the POAM applies – This component indicates the specific NIST control and objective that is not currently being met by the contractor
2. Person of contact (POC) responsible for actions – This indicates the person(s) responsible for ensuring the POAM is remediated.
3. Actions and resources needed for remediation – This section will indicate the actions and resources needed to resolve the vulnerability. The resources in this case could be technologies or individuals
4. Intended action start and completion dates: Contractors will indicate the intended start and completion dates for resolving the POAM
5. Actual action(s) taken – This section provides a listing of the actions taken to resolve the vulnerability
6. Milestones to meet – Here, the contractor provides a high-level overview of the actual steps taken to resolve the POAM
7. Current status of efforts to meet the control – This last column is used to indicate where the contractor is in remediating this POAM

POAM Example

Below is an example of how to write a POAM. While you can make your POAM more complex, here are the 7 key elements that a basic POAM should contain:

Sample Remediation plan for NIST 3.5.3

POAM Template

PreVeil has created POAM a template to help defense contractors. PreVeil’s POAM template for SSPs shows how controls that PreVeil doesn’t support can be met. 

Recall  that under CMMC, POAMs will be accepted only for eligible 1-point controls. Any POAMs PreVeil provides for ineligible controls are solely to guide your compliance preparations. Further, you should strive to close your POAMs for even the 1-point controls prior to assessment in order to have the best chance of success in the process.

POAM Template Example

PreVeil’s POAM template is far more detailed—and therefore far more useful—than the basic template shown above. For example, this POAM template for  AC (Access Control) L1-3.1.22 —which stipulates that information posted on or processed on publicly accessible information systems must be controlled—lists each of the eight assessment objectives associated with that control. The objectives guide you through each step it takes to meet the control. And rather than just seven columns, the template has 17 columns that allow you to keep all the information you need in one place to get to closing out the POAM and documenting it.

Finally, PreVeil’s POAM template allows you to track all your POAMs in one central place—and keep a running tally of your improving assessment score as you close out the POAMs.

Conclusion

POAMs can be helpful for contractors that have made a good faith effort to meet NIST 800-171 and CMMC Level 2 requirements, but still need time to fully meet some 1-point controls. POAMs grant you an extension, but your best strategy should be to think of POAMs primarily as a roadmap to closing out controls.

Contact PreVeil for a copy of our complete POAM template.

Learn more:

PreVeil has numerous resources to help you on your compliance journey, for example:

• A Guide to Achieving CMMC Compliance
• 6 Ways to Save Money on CMMC Certification Costs
• PreVeil case studies

The post What is a POAM appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP. Read the original post at: https://www.preveil.com/blog/what-is-a-poam/