If you’re a defense contractor and need to comply with NIST 800-171, then you need to know about System Security Plans (SSPs) and Plans of Actions & Milestones (POAMs). SSPs document how your organization meets NIST 800-171’s 110 controls. Check out our blog How to Create a System Security Plan, to learn more about this important document. POAMs, on the other hand, describe your plan to meet any controls that are currently unmet. POAMs are designed to direct your compliance efforts and keep you on track.

Note that POAMs are not a loophole out of compliance. They buy you time to meet unmet controls, but in the end you still need to meet them.

This blog explains what POAMs are, which NIST 800-171 controls you can use them for, and how POAMs factor into your NIST 800-171 and CMMC Level 2 compliance journey. We’ll share a basic sample POAM, and share a sample of PreVeil’s comprehensive POAM template.

For defense contractors, a POAM is a document that identifies tasks that need to be accomplished to meet an unmet security control in their System Security Plan. POAMs detail the resources required to do those tasks, milestones along the way to accomplishing the tasks, and the dates by which those milestones will be achieved. As such, POAMs are useful tools for planning your compliance journey.

If your organization handles CUI (Controlled Unclassified Information) and needs to comply with NIST 800-171, then you’re also required to conduct a self-assessment of compliance with each of NIST 800-171’s 110 security controls. Each of the 110 controls is assigned a weight of one, three or five points. Scoring starts at the highest possible score of 110. Points are deducted for each control not met, all the way down to -203

Each of the 110 controls is assigned a weight of one, three or five points. Scoring starts at the highest possible score of 110. Points are deducted for each control not met, all the way down to -203

If contractors don’t meet a NIST 800-171 security control, they need to create a POAM for it. Current Department of Defense (DoD) regulations, however, don’t specify a time limit by which the unmet control must be met (aka when the POAM must be closed). But that’s going to change soon under CMMC, as explained below.

Cybersecurity Maturity Model Certification (CMMC)—the DoD’s new framework to bring contractors into compliance with NIST 800-171—is expected to begin to appear in defense contracts beginning in early 2025. CMMC imposes restrictions on the use of POAMs to achieve CMMC certification:

  • No POAMs will be permitted for defense contractors required to achieve CMMC Level 1. Contractors that handle Controlled Unclassified Information (CUI) and are subject to NIST 800-171 must achieve at least CMMC Level 2. POAMs will be permitted at CMMC Level 2, but only for some one-point controls. With one exception, POAMs will not be permitted for any three- or five-point controls—which are some of the hardest requirements to meet.
  • Contractors can continue to move forward with the Level 2 certification process only if upon their initial third-party CMMC assessment they: 1) meet at least 80% of all the NIST 800-171 controls (which CMMC Level 2 requirements mirror), and 2) all controls not met upon initial assessment are permitted to be met via POAMs
  • Finally, POAMs will be time-bound under CMMC: Defense contractors will have 180 days to close out their POAMs. If you don’t meet that deadline, you will have to go back to the drawing board and start the CMMC certification process over. Given that hard deadline, your best bet is to close out as many of your POAMs as possible before contacting a C3PAO (CMMC Third Party Assessment Organization) to conduct your CMMC assessment. Note that it will be up to your C3PAO to approve your use of POAMs to achieve compliance; if you’re too far off target, you may not get that go-ahead

DoD’s allowance for POAMs is a good-faith admission that getting an organization to compliance takes time and effort. POAMs offer a way for organizations that have achieved most of their compliance objectives to remain competitive for contracts while they finish closing out their last few POAMs. They are not a way out of compliance.

POAMs and CMMC Level 2: Three things you should know

#1. POAMs are allowed only for some 1-point NIST 800-171 controls (which CMMC Level 2 requirements mirror) and not for any 3- or 5-point controls, with just one exception.

#2. All POAMs will need to be closed out within 180 days or you’ll need to start the CMMC certification process over again.

#3. POAMs buy you time, but they’re not loopholes—in the end, to be CMMC Level 2 certified, your organization will need to meet all 110 NIST 800-171 security controls.

To be as effective and useful to a C3PAO as possible,  POAMs should include the following essential elements:

  1. NIST 800-171/CMMC Level 2 control to which it applies
  2. Person of contact (POC) responsible for actions
  3. Actions planned to meet the control
  4. Intended actions start and completion dates
  5. Actual action(s) taken
  6. Milestones to meet
  7. Current status of efforts to meet the control

Here’s an example of what a basic POAM containing these seven key elements would look like:

PreVeil has created a POAM template to help defense contractors meet DoD mandates. The template takes much of the guesswork out of planning for organizations that use our email and file sharing platform to protect CUI.

PreVeil’s POAM template shows how controls that PreVeil doesn’t support can be met.  Recall, though, that under CMMC, POAMs will be accepted only for eligible 1-point controls. Any POAMs PreVeil provides for ineligible controls are solely to guide your compliance preparations. Further, you should strive to close your POAMs for even the 1-point controls prior to assessment in order to have the best chance of success in the process.

PreVeil’s POAM template is far more detailed—and therefore far more useful—than the basic template shown above. For example, this POAM template for  AC (Access Control) L1-3.1.22 —which stipulates that information posted on or processed on publicly accessible information systems must be controlled—lists each of the eight assessment objectives associated with that control. The objectives guide you through each step it takes to meet the control. And rather than just seven columns, the template has 17 columns that allow you to keep all the information you need in one place to get to closing out the POAM and documenting it.

Finally, PreVeil’s POAM template allows you to track all your POAMs in one central place—and keep a running tally of your improving assessment score as you close out the POAMs.

POAMs can be helpful for contractors that have made a good faith effort to meet NIST 800-171 and CMMC Level 2 requirements, but still need time to fully meet some 1-point controls. POAMs grant you an extension, but your best strategy should be to think of POAMs primarily as a roadmap to closing out controls.

Reach out to PreVeil at [email protected] for a copy of our complete POAM template

Schedule 15 Minutes for free with our Compliance team

#Set up a session with PreVeil’s compliance team to learn more about PreVeil’s SSP and POAM templates. Or set up a call just to get your CMMC, NIST 800-171, DFARS 7012, FedRAMP or ITAR compliance questions answered.

Book a Session

Learn more:

PreVeil has numerous resources to help you on your compliance journey, for example: