If you’re a defense contractor seeking compliance with NIST 800-171, then you need to know how System Security Plans (SSPs) and Plans of Actions & Milestones (POAMs) will factor into your compliance journey. SSPs will document how your organization is meeting the 110 NIST controls while POAMs will describe your organization’s plan to meet controls that are currently unmet. POAMs are designed to help you direct your efforts.
POAMs are not a loophole out of compliance. You should think of them as a possible contingency plan if you’re very close to compliance at the time of assessment but not quite there yet. Here’s how POAMs work.
Each of the 110 controls is worth 1,3, or 5 points. If you have met 88 of the required 110 controls and the remaining 22 controls are mostly completed, you may be eligible to use POAMs.
POAMs will only be available for select 1-point controls, not the more involved 3 and 5 point controls, so those higher point controls must be entirely complete at the time of assessment. Further, the Certified Third Party Organization (C3PAO) completing your assessment must sign off on the unmet controls being accepted as POAMs. What can and cannot be POAMed is up to the discretion of the C3PAO assessing you.
If you are approved for POAMs, you still can’t sit back. All POAMs must be closed within 180 days. Thus POAMs are there to soften the hard edges of your path to compliance, not provide any shortcuts.
What is a POAM?
A POAM is a document that identifies security tasks that still need to be accomplished in order to meet a control. It details what resources will be required, what milestones must be met, and what the completion dates for those milestones will be. POAMs are useful tools to plan your compliance journey as you work towards achieving CMMC, but you should strive to close them all out by the time of assessment.
CMMC 1.0 did not allow contractors to have any open POAMs at the time of assessment. This meant that only contractors who had met all security requirements for compliance would be eligible to bid for defense contracts.
CMMC 2.0 recognizes that such a standard would exclude many SMBs currently in the defense industrial base (DIB). Instead, it allows companies to fill the gaps in their SSPs with time-bound and enforceable POAMs for eligible 1-point controls, with their C3PAO’s approval.
This allowance is not a way for companies to skirt compliance requirements. POAMs will expire after 180 days and organizations will need to follow their plans to satisfy controls by that time, or face consequences. Further, POAMs are only available for select 1-point controls, not for any of the more time-consuming 3 and 5 point controls. Lastly, controls for which POAMs are submitted should be mostly complete and can be rejected if they are not close enough for a C3PAO’s approval.
The allowance for POAMs is a good-faith admission that getting an organization up to code takes some time. It is a way for companies who have achieved most of their compliance objectives to remain competitive for contracts while they finish closing out their last few controls. It is not a way out of compliance.
How to write a POAM: The key elements
To write a POAM, you’ll need to include all the information that auditors will look for when assessing your organization. The essential elements of a POAM are:
- The CMMC control for which it applies,
- the person of contact (POC) responsible for actions
- the planned actions to meet the control
- the planned start/completion dates
- the actual action(s) taken
- the milestones to meet
- and the current status
We’ve put together an example to guide you. Here’s what you can expect a POAM to look like.
PreVeil’s POAM
PreVeil has created a SSP and associated POAM template to help. These docs take much of the guesswork out of planning for organizations using our email and file sharing platform to protect controlled unclassified information (CUI).
PreVeil’s SSP provides a template for the 102 of 110 NIST 800-171 controls that PreVeil supports. It also includes POAMs for the controls which our software does not support.
Note that POAMs will only be accepted for eligible 1-point controls. Any POAMs PreVeil provides for ineligible controls are solely to guide your compliance preparations. Further, you should strive to close the POAMs for even the 1-point controls prior to assessment in order to have the best chance of success in the process.
Schedule 15 minutes with our Compliance team
Set up a session with PreVeil’s compliance team to learn more about PreVeil’s SSP template. Or set up time to just get your CMMC 2.0, NIST800-171, DFARS 7012, FedRAMP or ITAR compliance questions answered.
Conclusion
POAMs can be a helpful stopgap measure for the contractor who has made a good faith attempt to achieve CMMC, but needs a little more time for a few minor portions of lower-point controls. It’s important to be aware of their existence, in case you need the extension they may afford, but you should primarily use the POAM template as a roadmap to provide structure for your efforts to close controls.
Reach out to get a copy of PreVeil’s SSP and POAM template. We can get you started.
Learn more:
Schedule a free 15-minute consultation with our compliance experts to answer your questions about NIST SP 800-171 and CMMC 2.0
In addition, you can read the following PreVeil briefs:
- Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
- Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)
- NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
- Zero Trust: A Better Way to Enhance Cybersecurity and Achieve Compliance