November 5, 2024

Let's Talk About POA&Ms

One of the most misunderstood aspects of CMMC is the Plan of Action and Milestones ("POA&M"), along with the newly-referenced Operational Plan of Action ("OPA"). What exactly is the difference? The OPA addresses only temporary issues. Quoting the final rule: (emphasis added)

Operational plan of action ... means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies (e.g., necessary information system updates, patches, or reconfiguration as threats evolve) in implementation of requirements and documents how they will be mitigated, corrected, or eliminated....

Temporary deficiency means a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.

This is important because temporary deficiencies that are appropriately addressed in an OPA will be assessed as MET during an official assessment. The POA&M is for controls assessed as NOT MET -- misunderstood, incorrectly implemented, documentation out of date, etc. Too many of those and you fail your assessment.

Critical points of note with respect to POA&Ms:

• No POA&Ms are permitted for CMMC Level 1.
• At L2, POA&Ms are permitted only under limited circumstances:
  • Only 1-point controls according to DODAM (except FIPS & MFA)
  • No L1 controls can be on the POA&M
  • Max of 22 controls permitted on POA&M to receive conditional certification, allowing 180 days to correct issues and have a close-out assessment on those controls, resulting in a final certification.

In CMMC, POA&Ms are not the "get out of jail free" card that they have been up to now, where you can put pretty much anything in 800-171 on your POA&M and be deemed "compliant." That ship has sailed.

I would caution you not to plan on undergoing an official CMMC L2 assessment with open POA&Ms. While the rule doesn't specifically prohibit an assessment from starting with open POA&Ms, I believe that in practice, many C3PAOs will be reluctant to start your assessment knowing you have at least one failed control. They want to keep their success rate high. (The earlier draft version of the CMMC Assessment Process did prohibit assessments from starting with open POA&Ms. We should know soon what the final version says.)

If you need help with your CMMC compliance program, I'm here! email, call or schedule a time to chat.

How old is your SPRS self-assessment score? Might want to review this.

Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107