Header for CMMC 2.0 blog series 'POA&M requirement changes'

CMMC 2.0: POA&M Requirement Changes

In our series of blogs on the newly announced CMMC 2.0  topic, we started by discussing the context for the update and also wrote about the impact on assessments. Our next topic to discuss is the changes to a project management tool known as a plan of action and milestones (POA&M). There are a few important modifications to the use of POA&Ms in CMMC 2.0.


How POA&Ms and Waivers are Impacted

Assignment of timelines to POA&Ms 

According to the initial version of CMMC 2.0, the way POA&Ms are used will change significantly. It’s a positive impact in the sense that businesses will need to deliver on their promises of implementing cybersecurity measures in a timely manner. 

Having to resolve POA&M items within potentially 180 days would be beneficial for national security–and great for the companies affected, as it gives them a goal with an assigned deadline. Now companies will be forced to answer important questions, like ‘where do I start?’, ‘how do I know when I’m done?’, and ‘how much is it going to cost?’. 

Often, having a project management plan with no deadlines associated with the itemized tasks results in inactivity. What projects ever get accomplished when you don’t have a deadline? In the past, we’ve seen POA&Ms be drawn up and left to languish. A company might have said, “We plan to procure, deploy, and implement multifactor authentication.” But the POA&M entry for MFA contained no dates, no details, no milestones, and no budgetary numbers. 

With the proposed revision, internal IT security teams will be better able to secure funding, as there will now be a specific timeframe, with the key driver being that companies want to continue contracting with the DOD.


Use of POA&Ms limited

For each control or requirement, there will be a minimum score that has to be achieved and for which a POA&M cannot be submitted. What the proposed revision maps out is that highest weighted requirements (those controls worth five points) have to be implemented. That means you cannot have a POA&M for these 5-point controls. 

This is another piece of good news for national security as there are cybersecurity steps that are table stakes. The bulk of NIST 800-171 is just good cybersecurity hygiene. With CMMC 2.0, the government is saying that there is going to be a minimum score for each control. If you want to contract with the DOD, your company will need to meet these minimum requirements. 



Waivers will be allowed on a very limited basis, which is in alignment with CMMC 1.0. To date, very few businesses have applied for and received one. 

Your business still needs to implement the necessary and required controls in NIST 800-171 and, with CMMC 2.0, you have to have a schedule as to the completion of outstanding items. The rulemaking waivers, to us, sound a little mythological. 


Next Steps

If you have any questions on how your organization should proceed in implementing cybersecurity controls, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.

Watch our latest webinar to learn more about CMMC 2.0 and how it might impact your business.


CyberSheath’s exclusive Federal Enclave is a “born compliant,” cloud-based solution for full compliance that’s easier, faster and more economical.
This is default text for notification bar