How to create a POA&M for CMMC compliance


When a Quick Fix Just Isn't Possible

Security standards like NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) provide common frameworks for managing robust security programs. By following these standards, organizations will implement security controls that can help protect Controlled Unclassified Information (CUI). However, practically speaking, not even the most diligent IT team can ensure full compliance with absolutely every requirement all the time. This is especially true among small businesses that may not even have a dedicated IT team.

For example, a security control could rely upon software that has reached end-of-life. With new software licenses often costing thousands of dollars, your company may simply be unable to afford a replacement. Or instead, auditors might observe that your organization needs an alarm system installed, but the only vendor in your city is booked for months. Whatever the case, there will inevitably be times where your organization is non-compliant with one (or more likely, several) security controls.

Rather than simply throwing our hands into the air and admitting defeat, we roll up our sleeves and develop a “get-well” plan. We need to document the tasks necessary to resolve our security program’s deficiencies, along with the resources required to do it. We’ll also keep track of the milestones that we’ll pass along the way. To hold ourselves accountable– and to let auditors know we’re serious about fixing these issues– those milestones should include estimated completion dates. This document, which actually is required by NIST 800-171’s Basic Security Requirements (3.12.2), is called a Plan of Actions and Milestones, or POA&M.

Controlled Unclassified Information Plan of Action

Developing Your POA&M

There are many ways that deficiencies in our System Security Plan could be identified. The most common is for an internal review or an external auditor to identify weaknesses in your security posture during an inspection. Organizations with more mature security programs, on the other hand, will continuously monitor the efficacy of their security controls. In the process of doing so, they often discover that some controls are no longer fully effective. Whatever the case, these weaknesses must be tracked in your POA&M document.  Each weakness will be addressed with specific corrective actions.

NIST’s sample POA&M template can help your organization start tracking the corrective actions needed to secure your information systems. As you fill out the form, remember that this is no mere administrative exercise– you are recording real-world risks to your business and developing ways to mitigate them!

With that in mind, an effective POA&M must be developed from an organization-wide perspective and should identify the resource requirements for each task. This means the POA&M shouldn’t be the sole responsibility of your IT department. Instead, company leadership should be involved to ensure the necessary resources are allocated and to hold accountable the entities responsible for executing the corrective actions.

Specificity and practicality are important: a good POA&M illustrates serious commitment to resolving your security deficiencies. A weak POA&M, on the other hand, lists vague, aspirational, or unrealistic tasks. An auditor will quickly recognize such documents as a mere ‘band-aid’ and suspect the organization is not taking deficiency remediation seriously.

Milestones are a key part of any effective POA&M. Complex POA&M items may be broken down into distinct phases and have several milestones, while for simple fixes, the only milestone could be the completion date itself. The POA&M will be continuously updated as you make progress towards remediation, making it a living, dynamic document. NIST 800-53r5 recommends (pg. 89) using security automation software to support this process, so consider tracking POA&M items with your ticketing system if you have one or utilizing our Totem™ Compliance Planning Tool. You can request a free trial of Totem™ at the end of this post. We built the tool so that you won’t have to worry about managing your entire CMMC compliance program in spreadsheets and documents. Using Totem™, you can easily track your implementation of NIST 800-171 (including the corresponding NIST 800-171A objectives) and construct an SSP, POA&M, and other necessary artifacts.

Creating a POA&M in Totem's Cybersecurity Compliance platform
A POA&M in Totem™

The POA&M's Impact

It’s important not to underestimate the importance of the POA&M. NIST warns that “federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.” (NIST 800-171, 3.12.4). In other words, the quality of your POA&M can directly affect your chances of being awarded a government contract.

If your company is preparing to undertake this important process, take advantage of our decade of experience managing NIST-compliant POA&Ms. Our cybersecurity experts lead quarterly workshops where we help your organization develop a POA&M that doesn’t just meet compliance requirements but serves as an integrated part of your cybersecurity program.

One final note: sometime within 2024, we will start seeing the first DoD contracts incorporating CMMC requirements. Unlike other security frameworks where auditors excuse security shortfalls when there is a well-crafted POA&M, it’s still uncertain what will be allowed on POA&Ms at the time of a CMMC assessment. We know for certain that any NIST 800-171 controls corresponding with the “FAR 17” — the 17 basic cybersecurity protections — will definitely not be allowed on a POA&M at the time of assessment. We’re not optimistic that much flexibility will be allowed in this regard, which is why we recommend you get to work closing all open POA&M items before your CMMC assessment. It takes the average small business 12-18 months to fully implement NIST 800-171, which means that your runway is getting much, much shorter.

If you are just getting started on your CMMC compliance journey, feel free to get in touch with us, and we’ll help you strategize the quickest and most cost-effective approach to implementing NIST 800-171 and building your SSP, POA&M, and other documentation. Or, take a look at our CMMC Compliance Roadmap to consider your next move.

Keep fighting the good fight!


Creating a POA&M in Totem's Cybersecurity Compliance platform

Request a Free 30-Day Trial of Totem™!

Like this post? Share it!

Get notified when new blogs are published!