• Blog

POAMs: What They Are and Why You Can Use Them to Achieve CMMC Compliance

If you’re a defense contractor, Plans of Action and Milestones (POAMs) should be part of your compliance strategy. POAMs give organizations a path to compliance that’s specific to the controls that they haven’t met yet. POAMs not only help you direct your efforts, they also allow your organization to bid for contracts before achieving full compliance.
In order to pass CMMC 2.0 and NIST 800-171 audits, you’ll need to have a System Security Plan (SSP). This plan will document the cybersecurity program that’s in place and describe how the 110 controls required for compliance are met.
If you haven’t yet met all of those controls, POAMs can be included to describe how you will meet them in the future. This means you can continue to bid for contracts, and make money, while you’re actively undertaking your compliance journey.
This post will explain how you can use POAMs to make the compliance process less daunting and to divvy up responsibility for action items. If you’re striving for CMMC 2.0 and/or NIST 800-171 compliance, you need to know this.


What is a POAM?

A POAM is a document that identifies security tasks that still need to be accomplished. It details what resources will be required, what milestones must be met, and what the completion dates for those milestones will be.
CMMC 1.0 did not allow contractors to use POAMs. This meant that only contractors who had met all security requirements for compliance would be eligible to bid for defense contracts.
CMMC 2.0 recognizes that such a standard would exclude many SMBs currently in the defense industrial base (DIB). Instead, it allows companies to fill the gaps in their SSPs with time-bound and enforceable POAMs.
This allowance is not a way for companies to skirt compliance requirements. POAMs will expire and organizations will need to follow their plans to satisfy controls by that time, or face consequences. Instead, it is a good-faith admission that getting an organization up to code takes some time. It is a way for companies to break their compliance journeys down into accessible bite-size chunks.

POAM Template: An Example

A typical POAM will detail:

  • The CMMC control for which it applies
  • Person of contact (POC) responsible for actions
  • Planned actions to meet the control
  • Planned Start/ Completion Date
  • Actual Action(s) taken
  • Milestones to Meet
  • Current status

We’ve put together an example to guide you. Here’s what you can expect a POAM to look like.

PreVeil’s POAM

At PreVeil we’re always looking for ways to improve cybersecurity accessibility for SMBs. You deserve security. You deserve it to be easy.
To that end, PreVeil has created a SSP and associated POAM template. This tool takes the guesswork out of planning for organizations using our email and file sharing platform to protect controlled unclassified information (CUI).
PreVeil’s SSP provides a template for the 84 of 110 NIST 800-171 controls that PreVeil supports. It also includes POAMs for the controls which our software does not meet.

Schedule 15 minutes with our Compliance team

Set up a session with PreVeil’s compliance team to learn more about PreVeil’s SSP template. Or set up time to just get your CMMC 2.0, NIST800-171, DFARS 7012, FedRAMP or ITAR compliance questions answered.

Book a Session

Our templates form the framework for your organization’s SSP and POAMs. Simply customize the templates to fit your individual needs, and save hundreds of hours of prep and consultant time. That’s time you can spend doing what you do best – your work.
POAMs are a key tool in a contractor’s compliance journey. Building POAMs into your SSP can make achieving CMMC 2.0 and NIST 800-171 compliance accessible irrespective of your size or budget. Reach out to get a copy of PreVeil’s SSP and POAM template. We can get you started.

Learn more: