Blog

What is a POAM?

Written by Waits Sharpe | May 21, 2024 2:46:37 PM

Organization's that are contracted by the Department of Defense (DoD) or are bidding on future contracts must adhere to certain cybersecurity regulations to protect the sensitive data they may be entrusted with by the federal government. These requirements are outlined in NIST SP 800-171 and will be validated through the cybersecurity maturity model certification (CMMC) in the next year. While the term CMMC may be new to contractors, the requirements have been around since 2017. If your organization is already NIST 800-171 compliant, then you're one step ahead. However, for many SMBs attaining compliance can be time consuming and expensive. To help ease this burden, the DoD is allowing POAM's as part of the compliance process. This blog will explain what a POAM is and why it is helpful for your organization.

NIST 800-171/CMMC Requirements

NIST SP 800-171 (now in its third revision) is a framework of 110 controls that organizations must implement to be considered "compliant". Contractors that handle controlled unclassified information (CUI) must self-assess against the 110 controls in NIST 800-171. Each control is assigned a point value ranging from one, three, or five points. An organization begins at a maximum of 110 points and subtracts points based on what controls have not been properly implemented. The highest score achievable is 110 while the lowest is -203.

CMMC is the verification mechanism that the DoD will use to ensure that compliance is being followed by their contractors. Now in its finalization phase, CMMC will likely being entering contracts at the beginning of 2025. The current CMMC model is made up of three maturity levels: foundational, advanced, and expert, all of which are based on the controls outlined in NIST 800-171. With the implementation of CMMC, comes new rules for how POAM's are to be handled.

What is a POAM?

A "Plan of action and milestone" or "POAM" is a document that outlines what controls have not been implemented or addressed under NIST 800-171 and how that organization plans to meet those requirements in the future. A POAM details what resources are required and the dates a task must be completed by. This shows the DoD that the contractor is aware of the control and has plans to address it in the near future. For every control that is not met in the initial self-assessment, a POAM is required. This also helps organizations plan their compliance journey and offers direction. 

In regard to CMMC, POAM's are acceptable in some cases, but not all. For starters, no organization required to achieve level 1 of CMMC are allowed to submit POAM's. The controls included within level 1 are foundational and should be present in every organization. Within CMMC level 2, POAM's will only be allowed for certain one-point controls, but no three- or five-point ones. The biggest change however is that contractors will only have 180 days to fulfill their POAM's. Previously, there was no strict time limit on when these controls needed to be implemented, under CMMC contractors will need to be proactive. 

Key elements of a POAM

To be as effective and useful to a C3PAO as possible,  POAMs should include the following essential elements:

  • NIST 800-171/CMMC Level 2 control to which it applies
  • Person of contact (POC) responsible for actions
  • Actions planned to meet the control
  • Intended actions start and completion dates
  • Actual action(s) taken
  • Milestones to meet
  • Current status of efforts to meet the control

CorpInfoTech's POAM Process

CorpInfoTech is a managed service provider that offers IT and cybersecurity solutions to small-medium sized businesses. Our services start with a security assessment that examines your organizations current security posture. This assessment determines what controls are implemented, which aren't, and how effective they are. Using the CIS Controls, CorpInfoTech can conduct a comprehensive risk assessment tailored to NIST 800-171 and CMMC compliance. Once this is completed, CorpInfoTech will work with the client to develop their POAM.

Our services don't end at finding the vulnerabilities but offer solutions for how these gaps can be filled in a timely manner with tangible results. CorpInfoTech will remain with our clients through every phase of implementation and help your organization fulfill its requirements outlined with the POAM. Finally, cybersecurity is not a one and done deal. We continue to manage our customers' IT and security systems to ensure they are always secure and compliant.

Contact CorpInfoTech today to begin your compliance journey!

Learn more about CMMC: