If you have started your journey toward Cybersecurity Maturity Model Certification (CMMC), chances are you have assessed your current state and crafted a plan of action and milestones (POAM) to help you attain compliance. As you move forward and work to address the items on your task docket, where do you start and how do you proceed?
What a POAM is and why you need one
A POAM is a document, typically an Excel spreadsheet, that’s used to outline your compliance gaps. It supplies the framework based on what you are working to achieve and helps mitigate the differences between where you are now and where you hope to be soon. Templates are available to help with creating your own POAM structure.
You need a POAM because:
- The CMMC and NIST 800-171compliance frameworks require it.
- It identifies where your company is lacking in terms of compliance and creates a game plan to mitigate those deficiencies. There is a lot of information about what to do and how to do it–breaking it down into tasks makes it easier to understand and tackle by the people who will need to accomplish these items.
While the POAMs that we work with are IT- or compliance-based and used to support our work in implementing a technical or administrative control to meet regulatory requirements, the concept of a POAM could be expanded for any framework from privacy, financials, business operations, and more.
Moving forward and tracking progress
How you decide to proceed comes down to what your corporate priority is. Starting with compliance, are you looking to attain CMMC Level tThree? If so, you will probably have to tackle the Level One compliance tasks and the DFARS issues associated with that before focusing on Level Three. You may also wonder what easy to remediate issues can be dealt with quickly. Working through the tasks that look to have fast implementation timelines while still keeping an eye on company compliance priorities can be a challenge.
Your POAM should help you address issues such as:
- What is the control that was noticed to be non-compliant?
- How was the issue with the control identified?
- When was the issue identified?
- When do you intend on addressing the issue?
- What is the action you need to take?
- Is this action not yet in progress, started, or completed?
Ideally the person in charge of managing the POAMs for your company is your Chief Risk Officer (CRO). This person might have the rolled-up, high-level version of the POAM, that they divide up by functional area or by responsibility. In the absence of a CRO, It’s still good practice to have one person tracking the whole picture of what’s happening in terms of the project progress.
Continuous monitoring means your POAM is a living document
In terms of managing your POAM, it’s not only making sure that all of your controls are compliant and closing out each item on your task list. Assuming you’re looking to comply with CMMC Level 3, you also have to be able to monitor all of the 130 controls and make sure that all those controls continue to be implemented effectively.
CMMC is more than just getting to 100% compliance–it is also about maintaining your full adherence to the security controls. Maintenance never ends. As your business moves forward, you need to continuously monitor and maintain your processes in terms of preserving your compliant state.
Contact the compliance experts at CyberSheath for assistance in crafting your POAM and remediating the items. We’ve helped hundreds of organizations similar to yours meet their certification requirements.