Effective Project Management and Your POAM

By Donald DeWitt Jr. • October 27, 2021

If you have started your journey toward Cybersecurity Maturity Model Certification (CMMC), chances are you have assessed your current state and crafted a plan of action and milestones (POAM) to help you attain compliance. As you move forward and work to address the items on your task docket, where do you start and how do you proceed?

 

What a POAM is and why you need one

A POAM is a document, typically an Excel spreadsheet, that’s used to outline your compliance gaps. It supplies the framework based on what you are working to achieve and helps  mitigate the differences between where you are now and where you hope to be soon. Templates are available to help with creating your own POAM structure. 

 

You need a POAM because: 

  1. The CMMC and NIST 800-171compliance frameworks require it. 
  2. It identifies where your company is lacking in terms of compliance and creates a game plan to mitigate those deficiencies. There is a lot of information about what to do and how to do it–breaking it down into tasks makes it easier to understand and tackle by the people who will need to accomplish these items.

 

While the POAMs that we work with are IT- or compliance-based and used to support our work in implementing a technical or administrative control to meet regulatory requirements, the concept of a POAM could be expanded for any framework from privacy, financials, business operations, and more.

 

Moving forward and tracking progress

How you decide to proceed comes down to what your corporate priority is. Starting with compliance, are you looking to attain CMMC Level tThree? If so, you will probably have to tackle the Level One compliance tasks and the DFARS issues associated with that before focusing on Level Three. You may also wonder what easy to remediate issues can be dealt with quickly. Working through the tasks that look to have fast implementation timelines while still keeping an eye on company compliance priorities can be a challenge. 

 

Your POAM should help you address issues such as: 

  • What is the control that was noticed to be non-compliant?
  • How was the issue with the control identified? 
  • When was the issue identified? 
  • When do you intend on addressing the issue?
  • What is the action you need to take?
  • Is this action not yet in progress, started, or completed? 

 

Ideally the person in charge of managing the POAMs for your company is your Chief Risk Officer (CRO). This person might have the rolled-up, high-level version of the POAM, that they divide up by functional area or by responsibility. In the absence of a CRO, It’s still good practice to have one person tracking the whole picture of what’s happening in terms of the project progress. 

 

Continuous monitoring means your POAM is a living document 

In terms of managing your POAM, it’s not only making sure that all of your controls are compliant and closing out each item on your task list. Assuming you’re looking to comply with CMMC Level 3, you also have to be able to monitor all of the 130 controls and make sure that all those controls continue to be implemented effectively.

CMMC is more than just getting to 100% compliance–it is also about maintaining your full adherence to the security controls. Maintenance never ends. As your business moves forward, you need to continuously monitor and maintain your processes in terms of preserving your compliant state.

 

Contact the compliance experts at CyberSheath for assistance in crafting your POAM and remediating the items. We’ve helped hundreds of organizations similar to yours meet their certification requirements. 

 

POAM Template Download

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO