What is a POA&M and when do I need one?
According to NIST SP 800-37 Rev. 2, a Plan of Actions and Milestones (POAM or POA&M) is, “A document for a system that “identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.” In the context of Cybersecurity Maturity Model Certification (CMMC), POA&Ms document which National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) controls are not yet met, and chart a course to compliance. (Not doing something? POA&M.) In a best case scenario, this will be a plan built with intention and designed to be followed, rather than just a piece of paper to show assessors.
Organizations Seeking Certification (OSCs) will need a POA&M as they prepare for a CMMC assessment.
Must all POA&M items be closed prior to starting an assessment?
Under the current formulation of the CMMC Assessment Process (CAP), which evaluates compliance with NIST SP 800-171 controls, it is unlikely that OSCs will be allowed to start an assessment with any open POA&M items.
Can a POA&M be used to list and address shortfalls which do not coordinate with a specific NIST control?
Some controls include broad requirements which make complete POA&M remediation almost impossible. For example, the Level 2 Security Assessment (CA) domain includes control 3.12.2, which requires OSCs to “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.” We see efforts to generally 'reduce and eliminate vulnerabilities' as ongoing work on the system, which should be a part of the continuous defensive operational process. Therefore, we recommend OSCs strongly separate ongoing maintenance from POA&M items, which must refer to a specific control shortfall. We also recommend clearly explaining this distinction in your documentation.
To support this separation, we recommend creating a spreadsheet for tracking projects and action items which require ongoing maintenance. At my organization, we've chosen to call this the Plan of Action (POA), and use the document for things like tracking our MSSP, implementing new rules on the Security Information and Event Management (SIEM) based on threat intel, and upgrading firewalls. By contrast, whenever we identify a specific control failure (i.e.not meeting the intent of some of the Security Assessment controls in a mock assessment), we place this on the POA&M, because the document is tightly coupled to our current Supplier Performance Risk System (SPRS) score.
If you would like to learn more about CMMC documentation, the CAP process, or CMMC in general, check out the helpful resources page on our website here, take a look at our video library, or reach out to us at contact@cybersecgru.com.