The CMMC Rule and Plans of Action & Milestones (POA&M)

Home / Assessment / The CMMC Rule and Plans of Action & Milestones (POA&M)
Assessment, CMMC
October 14, 2024October 14, 2024By 1 like
The CMMC Rule and Plans of Action & Milestones (POA&M)

One of the things that I wanted to see in the CMMC Rule was more clarity on utilizing Plans of Action and Milestones (POA&M) for companies that do not fully meet all 110 requirements during their assessment.

I’m continuing to dive into the CMMC rule…it’s freaking long. Here is what it says about POA&Ms, the rules governing their use, and the deadlines associated with them.

What is a Plan of Action and Milestones (POA&M) Anyway?

For those that are unfamiliar, think of a POAM as a roadmap for addressing any cybersecurity gaps identified during an organization’s CMMC assessment. It documents the deficiencies and outlines how and when the organization plans to fix them. It is basically a detailed checklist created to implement the practices that were Not Met.

However, POA&Ms are not allowed for all CMMC levels or requirements. For example, CMMC Level 1 does not allow any POA&Ms; all security requirements must be fully met at the time of assessment.

For CMMC Level 2 and Level 3, POA&Ms are permitted under certain conditions, and give organizations a limited period of time after the assessment to remediate the deficiencies.

For CMMC Level 2 assessments, a POAM can include a maximum of 22 security requirements that are each valued at 1 point.

The following practices are not allowed to be included on a POAM:

  • AC.L2-3.1.20 External Connections
  • AC.L2-3.1.22 Control Public Information
  • CA.L2-3.12.4 System Security Plan
  • PE.L2-3.10.3 Escort Visitors
  • PE.L2-3.10.4 Physical Access Logs
  • PE.L2-3.10.5 Manage Physical Access

Conditional CMMC Status

Conditional CMMC Status is a temporary designation granted to organizations that have completed a CMMC assessment but have not met all the required security requirements. This status allows the OSA to be considered for contracts that require CMMC certification while they work to remediate their remaining security deficiencies.

To be eligible for Conditional CMMC Status, the OSA must meet certain criteria:

  • Achieve a minimum score of 80% on their initial assessment (both Level 2 and Level 3 assessments).
  • Ensure that the “NOT MET” requirements do not include the practices listed above.
  • Document all “NOT MET” requirements in a Plan of Action and Milestones (POA&M).

The OSA is then granted 180 days to remediate the “NOT MET” requirements and undergo a closeout assessment.

Once an organization receives a Conditional Status, the countdown begins ticking. It starts once the assessment findings are confirmed and are entered to either SPRS (Supplier Performance Risk System) or eMass (Enterprise Mission Assurance Support Service) depending on the assessment type.

Here’s a breakdown of which assessment types are submitted to each system:

SPRS (Supplier Performance Risk System):

  • Level 1 Self-Assessments: Organizations Seeking Assessment (OSAs) input the results of their Level 1 self-assessments directly into SPRS.
  • Level 2 Self-Assessments: OSAs also input the results of their Level 2 self-assessments, including POA&M usage and compliance status, into SPRS.  

eMASS (Enterprise Mission Assurance Support Service):

  • Level 2 Certification Assessments: Certified Third-Party Assessment Organizations (C3PAOs) upload the results of Level 2 certification assessments into eMASS. This information is then automatically transmitted to SPRS.
  • Level 3 Certification Assessments: DCMA DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) inputs the results of Level 3 certification assessments into eMASS, which is then automatically transmitted to SPRS.  

Essentially, self-assessments are submitted directly to SPRS, while third-party certification assessments are submitted to eMASS, which then feeds the information to SPRS.   SPRS is the central repository for CMMC assessment data where contracting officers can verify an organization’s CMMC status and score during the contract award process.    

If the OSA doesn’t complete the POA&M within the 180 day timeframe, their Conditional CMMC Status expires, and they will no longer qualify for contracts that mandate CMMC compliance. For businesses that rely on DoD contracts, this can be a serious setback, potentially leading to loss of revenue and reputational damage.  

Operational Plans (Aren’t POAMs)  

A POAM focuses on addressing weaknesses identified in an assessment. Operational action plans address vulnerabilities or deficiencies discovered after an organization has achieved its Final CMMC Compliance Status.  

For example, an operational plan of action may be necessary if a vulnerability is found due to an update or patch. Unlike POA&Ms, operational plans of action do not have to be resolved within the strict 180-day timeframe.  

The Impact of Not Meeting the POAM Deadline  

If the “NOT MET” criteria in a POAM aren’t brought into compliance within the 180 day timeframe, it’s bad news.                    

  • Conditional CMMC Status expires after the 180 days and the company will no longer be deemed compliant at that CMMC level, making the company ineligible for contracts.
  • Reassessment: The OSA would have to go through a complete CMMC reassessment, which would be both time consuming and expensive.                  
  • Contractual Penalties: If a company doesn’t remediate its Plan of Action and Milestones (POAM) while they hold a contract, they could face penalties up to termination of the contract.

Businesses need to take the deadline seriously and prioritize remediating their POAM within the timeframe, so their business operations are not impacted.  

The Process of Closing out a Plan of Action and Milestones  

After addressing all the issues in a Plan of Action and Milestones the organization undergoes a closeout assessment of the POAM items.

For Level 2 assessments this could be self-assessed while higher levels, like Level 3 may involve a third party assessor.  Only POA&M items for Level 2 self-assessments can be self-assessed.

● The POA&M closeout self-assessment is performed by an Organization Seeking Assessment (OSA) after they have remediated the “NOT MET” security requirements identified in their initial Level 2 self-assessment.

● This closeout self-assessment focuses solely on the requirements listed in the POA&M, using the same assessment methodology as the initial self-assessment.  

POA&M items for Level 2 and Level 3 certification assessments cannot be self-assessed:  

For Level 2 certification assessments, an authorized C3PAO must conduct the POA&M closeout certification assessment.  

For Level 3 certification assessments, DCMA DIBCAC is responsible for the POA&M closeout certification assessment.  

Here’s a table summarizing the process:

Assessment TypeInitial AssessmentPOA&M Closeout
Level 1 Self-AssessmentSelf-assessment, no POA&Ms allowedN/A
Level 2 Self-AssessmentSelf-assessmentSelf-assessment
Level 2 CertificationC3PAO assessmentC3PAO assessment
Level 3 CertificationDCMA DIBCAC assessmentDCMA DIBCAC Assessment

During the POAM Close-out Assessment, the items that were previously marked as “NOT MET” are reviewed.

If everything is in order and meets the requirements, the organization transitions from a Conditional Cybersecurity Maturity Model Certification (CMMC) Status to a Final CMMC Status, which shows they are compliant and makes them eligible for Department of Defense contracts that require certification at the level they have achieved.  

Consequences of Unremediated POA&M Items

If a POA&M item is found to still not meet the requirements during the POA&M close-out assessment, the organization will not achieve the “Final” CMMC Status for that level. This has several consequences:

  • Conditional Status Expires
  • The organization is considered non-compliant with the CMMC requirements for that level and will be reflected as such in SPRS.
  • The organization becomes ineligible for new contract awards that require the CMMC level they failed to achieve.
  • If the Conditional Status expires during the performance of an existing contract that requires that CMMC level, standard contractual remedies may apply.

The specific process for addressing an unsuccessful POA&M closeout assessment varies slightly depending on the type of assessment:

Level 2 Self-Assessment:

  • The OSA must initiate a new Level 2 self-assessment. They will need to address all 110 NIST SP 800-171 R2 security requirements again, not just the ones that were previously on the POA&M.
  • The three-year clock for reassessment resets upon achieving a Final Level 2 (Self) status.

Level 2 and Level 3 Certification Assessments:

  • The organization will not receive a new certificate.
  • They must undergo a new full certification assessment with either a C3PAO (for Level 2) or DCMA DIBCAC (for Level 3) to attempt to achieve the required CMMC Status.

A single unremediated practice within the POA&M will cause the entire conditional certification to expire. The scope of the assessment cannot be changed mid-assessment to exclude the problematic practice. If the scope needs to be adjusted, a new assessment is required.

I hoped this helped to clarify things. If you have any questions or need further guidance on managing your CMMC POAM, feel free to reach out!