EXECUTIVE BRIEF
A POA&M is a critical document for your company's compliance journey. With the allowance of POA&Ms for conditional CMMC Certificate of Status, make sure to:
Dig deeper and continue reading below!
A Plan of Action & Milestones (POA&M) is a critical document for any organization seeking to address identified weaknesses or deficiencies. Whether it's improving cybersecurity, enhancing operational efficiency, or complying with regulatory requirements, a well-structured POA&M provides a roadmap for successful remediation. This guide will walk you through creating an effective POA&M, from identifying and prioritizing issues to setting realistic and achievable milestones that drive progress and ensure successful outcomes.
A Plan of Action & Milestones (POA&M) document identifies the identified gaps in your system and outlines the remediation actions and timelines your organization will follow to address them. Your POA&M is a key document for your organization, serving as your itinerary to achieve compliance.
A POA&M should be a comprehensive document that identifies and addresses all unmet controls, or deficiencies, affecting your organization’s cybersecurity compliance posturing. Your POA&M should:
ISI Insight: If you’re working with a CMMC Managed IT Provider, like ISI, completing a gap assessment and developing a POA&M will be a core deliverable at the beginning of your services.
One of the key updates in the final CMMC rule was the allowance of POA&Ms for conditional Level 2 certification. Conditional certification will basically allow defense contractors to place low-level unmet controls on a POA&M and accept award of new defense contracts. However, within 180 days of being issued conditional certification, you must remediate these controls and pass a POA&M close-out assessment to achieve final certification. If not, your conditional certification will end and you will be removed from the contract you’re working on and will have to restart your compliance journey.
A key thing to note about CMMC POA&M requirements is that controls worth 3-5 points are not allowed on a POA&M. There are a select few 1-point controls that are also not permitted, but making sure those 3- and 5-point controls are satisfied is a great place to start.
Your POA&M is your path to strengthening your cybersecurity posturing. It’s going to identify gaps and hold your organization accountable for achieving an enhanced compliance posture by a specified date.
In addition to short-term goals, your POA&M is the launching pad for your company’s long-term cybersecurity goals. While your POA&M is benchmarked against a specific regulation, the outcomes of these efforts should result in organizational and operational changes in your company.
Cybersecurity requires buy-in from all facets of your organization and your POA&M highlights an organizational commitment to protecting sensitive information.
A POA&M can be created on a variety of different platforms. A lot of contactors build out their POA&M in an excel spreadsheet while others use an application that helps build out and manage their remediation plans. See an example of an excel POA&M task below.
No matter which platform you use, your POA&M should have the following elements included:
Read more about each below.
Every POA&M begins with the identification and documentation of unmet controls. Your organization should be benchmarking your cybersecurity practices against an established regulation that pertains to your business and contracts. Once you have established which regulation(s) your company is required to adhere to, you can begin a gap assessment to identify any unmet controls and deficiencies.
Be sure to add a detailed description of the weakness within your POA&M to ensure all team members are in alignment on the problem so time can be spent on determining the proper corrective action.
Overall, your IT Director (or equivalent) should be responsible for and oversee the progress of your POA&M and remediation efforts.
However, your POA&M is likely going to cover multiple departments and include a variety of remediation tasks, from tool selection and implementation to internal policy development. So while your IT Director (or equivalent) will be responsible for the project at-large, individual remediation tasks should be delegated to the appropriate team members to ensure tasks are being completed in a timely manner and have insights from the appropriate team members.
Once you’ve identified the gaps in your compliance posture and the appropriate team members to support remediation efforts, it’s time to start action planning.
A helpful model to ensure your remediation efforts are effective is to employ the SMART goal model. SMART stands for: Specific, Measurable, Achievable, Relevant, and Time-bound. With this mindset, you will be poised to develop remediation tasks that are:
One other important aspect of action planning is assigning a criticality level to each unmet control. This will help your organization prioritize which controls are most important to enhancing your compliance posture and may require more support or resources to complete (i.e. assigning a higher criticality level to developing a System Security Plan compared to revising a process around visitor logs).
Enhancing your security and compliance posturing takes both time and financial resources. When developing your POA&M, make sure to spend adequate time price-pointing different solutions and identifying how any difference in functionality could impact your team or compliance goals.
Your milestones will be the basis for how you track your progress within individual tasks and your POA&M as a whole. Here are three tips for creating milestones within your POA&M:
Your POA&M should be as long as it needs to be to achieve compliance. If you have a pretty strong compliance posturing, you will likely have a shorter POA&M document. On the other hand, if you’re new to the defense industrial base (DIB) and just getting familiar with DoD-specific regulations, it will likely be a longer document.
The length of your document is less important than the comprehensiveness and detail within it. The goal is to develop a POA&M that all involved team members can look at and understand the objective at hand.
If you’re just starting out on your compliance journey, a detailed and comprehensive POA&M is critical to ensuring you achieve compliance with your targeted CMMC maturity level requirements.
As mentioned earlier, certain outstanding unmet controls are allowed to be on a POA&M for conditional certification. This is where assigning timelines and criticality levels become important within your CMMC compliance journey. Make sure to prioritize your remediation efforts for three- and five-point unmet controls applicable to your organization. Otherwise, you risk failing your assessment and missing out on new defense contracts.
ISI Insight: CMMC only allows POA&MS for Level 2 and Level 3 contractors. Conditional certification and the use of POA&Ms is not permitted for contractors seeking Level 1 certification.
While many defense contractors rely on Excel to develop their POA&M, there are platforms available to help develop and manage your POA&M. ISI partners with FutureFeed to assist our clients during their compliance journey.
FutureFeed serves as a project management platform and is designed for NIST 800-171 controls, which is required for CMMC Level 2.
» Learn more about FutureFeed here!
In addition to FutureFeed, here are some other governance, risk, and compliance (GRC) platforms that can support your compliance journey:
Once you have written and developed your POA&M, it’s time to start on your remediation efforts. That said, don’t forget about your POA&M after it is written. Find tips for updating and tracking your progress within your POA&M to help keep your compliance journey on track.
A key aspect of your POA&M will be tracking your progress at the holistic and specific remediation task level. Proper and accurate tracking relies on having specific and measurable milestones detailed in your POA&M. Another key aspect of tracking your progress is prioritizing your unmet controls. With conditional certification allowed, there is a difference between progress to completing your goals versus progress towards achieving certification.
The most important aspect to the effectiveness of your POA&M is your familiarity and expertise with defense-related regulations and assessment processes. If your organization does not have much experience with DoD regulations, you risk developing a POA&M that is not properly aligned with NIST 800-171.
Another key to an effective POA&M is effective communication. A detailed POA&M will your team identify:
Additionally, your POA&M will serve as a real-time view into your compliance journey to internal and external stakeholders. Effectively communicating your efforts and progress will help alleviate concern or foster additional buy-in from key decision makers.
Your POA&M is an ever-evolving document. Systems can experience glitches or shutdown, so it is important to employ continuous monitoring practices to ensure that any abnormalities are identified and addressed quickly.
Additionally, as regulations change or as you make changes to your security tool stack and policies, your POA&M has to be updated accordingly.
Your POA&M should be updated as progress is made, or as new deficiencies are identified. How often that turns out to be will depend on the progress being made and effectiveness of your continuous monitoring tools in identifying new deficiencies.
ISI has completed over 180 NIST assessments and accompanying POA&M’s for small- to medium-sized defense contractors. In fact, it is one of the very first tasks we complete for our customers looking to achieve CMMC certification!
» Talk to one of our advisors to learn how we can help your organization’s remediation efforts!
Your SSP is your organization’s comprehensive document detailing the entirety of your security plan. Your SSP will detail your network configurations, tools and software, policies and procedures, … etc. This is your organization’s security playbook.
Your POA&M is detailing your identified gaps and remediation efforts to achieve compliance. So it has narrower focus compared to your SSP, but it complements your SSP by ensuring your cybersecurity practices and policies are in alignment with compliance regulations.
NIST does not outline any formal POA&M policy. Rather defense contractors benchmark their POA&M against the controls listed in a set of regulations (i.e. CMMC Level 2 contractors would benchmark against NIST 800-171).
Tasks are sub-action items that lead to the completion of a deliverable. For example, let’s say your boss asks you to create a spreadsheet providing information on your top 10 clients. The deliverable is the spreadsheet. The tasks would be downloading a report of your sales, identifying who are your top 10 biggest clients, and then compiling the relevant information for your boss.
Outcomes are definitive results from your remediation efforts. Milestones can be outcomes but also account for measurable steps towards achieving the goal. In other words, milestones are the metric you use to track progress while outcomes determine whether the goal has been met.