CMMC has become a strict, rigorous set of regulations for contractors working with the Defense Department. It is a clear map of maturity and capabilities; its implementation of NIST 800-171 controls; and its call for complete compliance before certification make CMMC audits challenging for many unprepared businesses. Unlike other frameworks, CMMC doesn’t allow documents like a Plan of Action and Milestones (POA&M) to stand in for actual compliance. 

CMMC 2.0 seems to change that. Here, we will discuss a POA&M and what it means within the CMMC framework. 

What is a Plan of Action and Milestones?

When you undergo an audit, whether for CMMC or another federal or DoD security framework, you may complete what’s known as a Plan of Action and Milestones (POA&M). This report essentially states what still needs to happen to guarantee compliance. 

Different frameworks will call for various POA&M reports, but most of these will contain very similar elements. These elements include:

• Security Weaknesses and Compliance Gaps: The core of the POA&M includes the security gaps your infrastructure has, either as an objective measure of your security capabilities or against compliance requirements. What security controls are you missing, what configurations aren’t up to snuff, and what policies and procedures are not in place that keep you from full compliance? 
• Severity and Scope of Gaps: The POA&M report also details how severe these gaps are and how they impact your overall security posture. Some security gaps may just impact a limited set of resources or require little attention to fix. Others may be critical weaknesses that undermine a whole network of systems and technologies. 
• Proposed Mitigation Procedures: A plan for remediating these gaps. This plan should include concrete steps taken to fix the problem, aligning the issue with compliance standards and the timeframe expected to fix the problem. Some POA&M reports will necessarily expect you to provide a timeframe that fits compliance frameworks. 
• Costs: Listing costs for remediation, including time, work hours, money and additional steps taken if resources aren’t immediately available. 

Several NIST publications, including NIST SP 800-115 and NIST 800-53 define POA&M reports, and these definitions are used in compliance standards like FedRAMP and CMMC. In some, like FedRAMP, a POA&M can stand in as part of the authorization process… suppose your organization completes an audit and your 3PAO determines that you will achieve compliance upon completing specific tasks within a certain timeframe. In that case, the FedRAMP governing body can authorize you to satisfy the requirements in the POA&M. 

How are POA&Ms Used in CMMC Certification?

The use of a POA&M report in CMMC is a little confusing, partly because of the language of CMMC version 1. 

To complete a CMMC audit, the audited organization must complete a POA&M if any of their systems don’t meet CMMC requirements. However, another section of CMMC states that upon certification, the organization must have implemented all practices and processes at the assessment time. 

Simply put, this presents what seems like a contradiction. If requirements for certification are necessary at the moment of assessment, then a POA&M report seems like a waste of time. 

One interpretation of this seeming contradiction is that POA&Ms are used as Documentation of Progress: If your organization is attempting to receive certification at a higher CMMC level than you are currently at, then a POA&M can help document your journey without serving as a stand-in for the actual certification process. 

While this scenario provides a reason for why the POA&M might exist, it doesn’t legitimize it. A contractor seeking certification at a given level would still have to meet requirements at the audit time. 

However, new regulations in CMMC have changed this. In November 2021, the DoD released a new revision of the CMMC framework, dubbed “CMMC 2.0”. This new version of the framework, revised with feedback from and discussion with agencies and contractors, seeks to streamline the process and make that process easier without sacrificing security. 

One of the major features that CMMC 2.0 added to the framework is that contractors can utilize POA&M reports as part of their certification process under limited and case-by-case circumstances. 

This is a huge step in simplifying the process. Other compliance standards like FedRAMP already offer this path with good results. And, it makes sense… not allowing a POA&M as a gateway to authorization or certification assumes that the audited organization already knows that every audited system will achieve compliance. There’s preparation and then simply attempting to see into the future. 

Including POA&Ms in a flexible certification system can help organizations by holding them to a clear and precise procedure to meet compliance requirements without having them hit a home run during the audit process.

On top of this, the DoD and CMMC-AB have signaled that even with POA&M, some organizations may, depending on their situation, qualify for waiving specific CMMC requirements. 

Streamlining Audits and Preparing for CMMC 2.0

CMMC 2.0 has been announced, and the DoD has published its broad changes. However, the actual rules have yet to be released and may not be for at least 9-24 months. While the DoD has temporarily suspended CMMC requirements in defense contracts for the supply chain, you’ll still want to begin preparing for CMMC 2.0 by understanding what’s coming up and before this. 

Continuum GRC deploys expert compliance and security specialists utilizing automation to streamline your auditing process. We can help you with commercial, federal or defense compliance audits by making documentation and reporting easier, translating logging information into official templates and reducing audit times from months and weeks to mere days. 

Are You Preparing for CMMC or Other Government Audits?

Call Continuum GRC at 1-888-896-6207 or complete the form below.