A Closer Look at the CMMC Interim Rule’s Plan of Action and Milestones

Back to Blog
Cybersecurity and secure nerwork concept. Data protection, gdrp. Glowing futuristic backround with lock on digital integrated circuit.

A Closer Look at the CMMC Interim Rule’s Plan of Action and Milestones

For the final installment in our Cybersecurity Maturity Model Certification (CMMC) blog series, we have the Plan of Action and Milestones (POA&M).

In previous blogs, we mentioned that the Department of Defense’s (DoD) Interim Rule for CMMC requires all contractors and subcontractors to conduct a specific cybersecurity self-assessment. That assessment measures implementation of 110 different cybersecurity controls defined by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-171. Contractors must also score that assessment using parameters specified by the DoD.

Along with their self-assessment and score, contractors must create a System Security Plan (SSP). The SSP details all aspects the contractor’s cybersecurity program and identifies their system’s functions and features. The plan must also align with all 110 controls in the NIST (SP) 800-171.

If an assessment reveals that any of the 110 controls have not been implemented, the contractor must also generate a detailed corrective action plan – a Plan of Actions and Milestones (POA&M). The United General Services Administration (GSA) states the POA&M’s purpose is to help identify, assess, prioritize, and monitor “the progress of corrective efforts for security weaknesses found in agency programs and systems.”

The POA&M must outline all proposed actions to remediate deficiencies and the timeframe for completing each item. The plan should be a living document and detail the progress of corrective actions as they are carried out.

Key Elements the POA&M Should Include:

  • Specific security weaknesses revealed in the assessment
  • Severity of each security control weakness identified
  • Scope of each component’s weakness within the environment
  • Proposed mitigation approach
  • Estimated costs for remediation if existing resources are not sufficient
  • Documented records of mitigation status and delays

A risk assessment must be conducted to ensure the remediation tasks are appropriately triaged and deficiencies are addressed in order of criticality.

The POA&M must be immediately available upon request by the Office of Management and Budget (OMB), Department of Homeland Security (DHS), GSA Inspector General, and GAO.

How to Help Your Clients Who Need CMMC Certification

Compliance Manager for CMMC includes tools to perform and score the NIST (SP) 800-171 self-assessment and automatically generates the required scorecard, SSP and POA&M. MSPs who begin early will have an opportunity to get ahead of the competition on this business expansion opportunity.