NIST and CMMC Plan of Action and Milestones (POA&M)

Why your organization needs a POA&M

Small businesses working on DoD contracts may come in contact with Controlled Unclassified Information (CUI).  The DoD requires compliance with DFARS rule 252.204-7012 to protect CUI, which means small businesses must implement the cybersecurity safeguards outlined in the National Institutes of Standards and Technology (NIST) 800-171 standard.  One of the safeguards in this standard requires organizations to periodically assess their cybersecurity risk (first and foremost the risks associated with incomplete 800-171 implementation), and maintain a Plan of Actions and Milestones (POA&M) outlining the specific steps the organization will execute to mitigate those risks.  The DoD has stated that some POA&M items will be allowed at the time of Cybersecurity Maturity Model Certification (CMMC) assessment.  In time, all DoD contractors that handle CUI will have to obtain a CMMC certification.  

Totem can help your small business manage its POA&M.

How Totem can help you manage your NIST/CMMC POA&M

Your organization can rely on Totem to help manage its POA&M in three interrelated ways:

  1. Attend one of our DFARS/NIST/CMMC Workshops. We educate you on the basics of POA&M, and empower you to manage your POA&M.
  2. Subscribe to our Totem™ Cybersecurity Compliance Management software.  Totem™ has a simple, intuitive POA&M workflow built in.
  3. Engage us for a custom DFARS/NIST/CMMC gap assessment and strategic policy planning session.  Let us help you build a meaningful POA&M.


Each of these options aligns with our DFARS/NIST/CMMC Preparation Methodology.  With our approach, you’ll 

  • start by gaining an understanding of the requirements,
  • continue by cataloging and categorizing your organizational assets –including the CUI you handle– according to government guidelines,
  • and then performing an assessment against the NIST 800-171 standard in parallel with building an 800-171-aligned System Security Plan (SSP).  


Then the results of the assessment and SSP build facilitate the construction of Corrective Action Plans (CAPs) to remediate deficient cybersecurity capabilities — i.e. those safeguards that your organization has planned to implement, but just hasn’t gotten around to yet.  The sum total of all your organization’s CAPs is the POA&M.  

In the Workshop, we teach you how to do all these things, and provide access to the Totem™ tool to help manage the assessment, SSP, and POA&M.  After the Workshop, you can subscribe to Totem™ to continue managing your POA&M; after all, the POA&M is a “living” thing, in the sense that there is always something to do to make your organization more secure.  

If, after the Workshop, you realize your organization needs a little more help, you can engage us for a one-on-one gap assessment.  During this engagement, we’ll use the Totem™ tool workflow to craft your NIST/CMMC POA&M, in which we’ll lay out in detail the individual “bite sized” CAPs your organization will execute to mitigate the risks and comply with the standard.  

We’ve been managing POA&Ms for the DoD and US Federal Government enterprise IT (big ones, like the US Air Force and Centers for Medicare and Medicaid Systems (CMS)) for over a decade now.  We’d love to bring that experience and know-how to bear on your small business cybersecurity compliance needs.  We’ll help you develop common sense, cost-effective CAPs, and help you manage your cyber risk lifecycle in a NIST/CMMC compliant POA&M.  Click the button below if you’d like to know more about how we can help with your POA&M.