How a Plan of Actions and Milestones Fits Into CMMC
There is a lot your organization is already doing that you can apply to your preparation for the impending launch of CMMC (Cybersecurity Maturity Model Certification). One important and useful component to consider is a Plan of Action and Milestones (POA&M or POAM).
Required to achieve compliance with NIST 800-171, a POAM is an extremely useful tool in helping your organization plan for a multitude of security projects, including compliance with standards like CMMC.
How a POAM Helps Realize Project Goals
Providing a structured approach for how to approach any security issue, a POAM delivers many benefits. It:
- Outlines activities necessary to mitigate security issues.
- Helps identify the security issue you are having or might have, and the underlying gap in your systems or processes.
- Assigns resources needed to mitigate issues.
- Holds your organization accountable with projected completion of milestone activities.
- Calls out how vulnerabilities were identified.
- Denotes risk level, labels status, and captures the estimated cost to remediate.
It’s a good idea to be well-versed and able to use a POAM now. Once you factor in the added benefit of helping your organization get ready for proceeding with CMMC compliance, using a POAM just makes sense.
POAM and CMMC Compliance
Preparation – As you ready your organization for tackling CMMC compliance, a POAM will matter more than ever. The plan can be used as a guide to understand what is required of your organization to receive the CMMC level certification your organization needs to bid on a government contract. It will actively manage and guide your project by highlighting the timeframe and resources required to achieve a CMMC level of certification by a specific date.
Maintenance – In the constantly evolving threat and technology landscapes, the tool can also assist in maintaining your certified level. A change to the threat environment could make a security practice no longer, or less, effective. A POAM could be used to reestablish compliance with the security practice if the new threat creates a gap.
Changes to your infrastructure may also create practice or process gaps that require a POAM to remediate. For example, if you are Maturity Level 3 certified at contract bid, which requires you have resources to collect and review your audit logs, and your organization doubles in size during the contract, you could potentially need a POAM to address the resources needed to collect and review audit logs which have now doubled in volume.
Advancement – After you have achieved initial CMMC compliance, a POAM can continue to add value, assisting your organization in leveling up and reaching a new degree of certification (i.e. advancing from CMMC Level 2 to CMMC Level 3). A POAM again becomes a driving force to manage your time around a project completion date as well as the resources required to successfully reach the determined milestones.
Executive Buy-In – As you look for budget and resource approvals to tackle CMMC compliance, a POAM can be a helpful tool in communicating with and getting buy-in from senior management.
Start familiarizing yourself with this valuable tool now by downloading our sample POAM template below.
CMMC Update – Draft Version 0.6
- Changed from 18 to 17 Domains with the elimination of the Governance domain.
- Focused more of the Practices on NIST 800-171 Controls.
- Identified 21 Practices through Practice Level 3 which are not attributed to NIST 800-171 R1. That is, to achieve Practice Level 3, you need to be fully compliant with NIST 800-171 R1 and implement the 21 new CMMC practices.
- Started referencing international frameworks including those from Australia and the UK.
- Removed the “redundant” Practices. For example, in Draft Version 0.4 of the standard, Level 1 might have a Practice that is implemented “at least in an ad hoc fashion” and the same control is fully applied in Level 2. These “ad hoc” practices were removed from Level 1.
If you have any questions or would like support as you ready your organization for CMMC, contact us.