CMMC: What Is a POA&M? 

Anyone looking to comply with the Cybersecurity Maturity Model Certification (CMMC) needs to be aware of POA&Ms. Keep reading to learn what a POA&M is, why they matter, and how to use them within your compliance strategy. 

A Basic Definition of POA&M

The term POA&M stands for Plan of Actions and Milestones. 

As the name suggests, a POA&M is a document that identifies cybersecurity tasks to be accomplished. 

Plus, this document also details the resources required to complete those tasks, the milestones for meeting the tasks, and the dates by which certain milestones must be reached.  

To know what a POA&M looks like, you can take a look at the CUI Plan of Action template provided by the National Institute of Standards and Technology as part of the documentation for NIST SP 800-171 (one of the frameworks CMMC is based on). 

As you can see, a Plan of Actions and Milestones is in essence a format with several columns that display information such as: 

1. Weaknesses found. 
2. Responsible office. 
3. Scheduled completion date. 
4. Milestones with interim completion dates. 
5. Changes to Milestones. 
6. How was the weakness identified. 
7. Status (ongoing or complete). 

But more than just filling out a predesigned form, POA&Ms are an integral part of your cybersecurity strategy. Below are the typical phases of the POA&M process once it is implemented: 

1. Receive audit reports. 
2. Identify vulnerabilities. 
3. Analyze risks and options. 
4. Develop a corrective action plan with specific milestones. 
5. Put the plan into action.  
6. Report on progress. 
7. Confirm POA&M completion. 

It is worth remembering that cybersecurity is an iterative and ongoing process. That’s why POA&Ms and continuous monitoring should go hand in hand.  

POA&Ms and CMMC: What You Need To Know

No doubt, POA&Ms are useful. But why are POA&Ms important to defense contractors? 

According to what we know so far, the Department of Defense (DoD) intends to specify a certain number of essential CMMC practices that must be achieved prior to contract award. You will be able to address the remaining pending requirements in a POA&M. 

In other words, if you can’t meet all the CMMC practices required for a certain contract, you can promise to meet those practices by producing a POA&M that lists any system vulnerabilities and establishes a precise date for achieving compliance. 

However, POA&Ms are not blank checks. Far from it. Going by the information the DoD has provided, you can expect to see a certain number of CMMC practices that WON’T be allowed on a POA&M under any circumstances. 

The DoD has also stated that it intends to establish a minimum score requirement to support certification with POA&Ms. 

Note that POA&M is not a term exclusive to the CMMC ecosystem. Just to cite an example, FedRAMP, the federal compliance program for cloud products and services, also requires POA&Ms.  

So if your focus is the Cybersecurity Maturity Model Certification, be sure to verify that any information you research online refers specifically to CMMC POA&Ms. 

When Will We Know Which CMMC Practices Won’t Be Allowed on a POA&M?

The practices that will be allowed on POA&M (as well as those that won’t) will be identified when the CMMC 2.0 rule is published.  

This means that with the implementation of CMMC 2.0, the DoD intends to allow companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements.  

Be sure to check this blog regularly to get the latest information on POA&Ms and CMMC as it becomes available. 

And if you have questions about specific cases or applications of POA&Ms, don’t hesitate to get in touch with our CMMC Registered Practitioners. 

Need To Achieve CMMC Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.  

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.  

Contact our CMMC Registered Practitioners today by clicking here.  

Brea Networks, LLC / CMMCCompliance.us  

451 W. Lambert Rd Suite 214  

Brea, CA 92821  

Tel: (714) 592-0063