What is a POA&M in CMMC?

If your DIB organization has been preparing for CMMC assessments (coming 2025), you may have heard a little something about POA&Ms. What an acronym! (CMMC has several weird acronyms like C3PAO.) But once it's all spelled out, POA&Ms aren't so scary - it stands for Plan of Actions & Milestones.

With the implementation of CMMC 2.0, the DoD will allow companies to receive contract awards with a limited-time Plan of Actions and Milestones in place to complete CMMC requirements. A baseline number of requirements must be achieved prior to contract award, with the remaining subset to be addressed in a POA&M within a clearly defined timeline. Critical and highly weighted controls are not eligible for a POA&M.

The allowance of POA&Ms means a DIB company that is not currently meeting all requirements of NIST SP 800-171 will be allowed extra time to implement. However, the POA&M must be completed and closed by the designated date or the award will be revoked.

Once CMMC 2.0 goes live in 2025, the required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs), if utilized. Depending on the nature of the contract award, you may be required to demonstrate either level 1 or level 2 CMMC compliance right away. Remember: To move from level 2 to level 3, you must have passed a third-party assessment and have no open POA&Ms (however with the phased rollout, level 3 certification will not be available for some time).

Image from NIST

 A free Excel document has been put together by NIST to help companies put together their Plan of Action for securing controlled unclassified information.  

TotalCare IT can help your organization prepare for CMMC by walking you through an alignment to the NIST standards.

We will create a roadmap for you that clearly outlines where your organization is currently meeting NIST SP 800-171 controls and where you need improvement.

Then, as part of our ongoing compliance management service, we help you implement all the controls in your organization. We can also help you create POA&Ms if needed and walk your organization through self-assessments.

Implementing security controls does not happen overnight. If your DIB organization hasn’t started preparing for the rollout of CMMC in 2025, what are you waiting for? Give us a call today to get started!