Plans of Action and Milestones, or a POAM, is a “document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones”, as defined by NIST.
When your organization is working towards NIST 800-171 compliance, there may be unmet requirements. A POAM is necessary in order to plan for and complete the necessary remediation.
You are viewing: What Is A Poam
Read on to learn more about how POAMs fit into CMMC 2.0 and the steps required to develop a POAM.
POAMs and CMMC 2.0
Read more : What Would Happen If Eve Didn’t Eat The Apple
Previously, under the initial CMMC framework, POAMs were not allowed. You either met all requirements or you didn’t. Under the updated CMMC 2.0, POAMs are permitted on a “limited use” basis.
The DoD anticipates a 180-day timeline to resolve a POAM. Additionally, out of the 110 controls of NIST 800-171 & CMMC Level 2, POAMs for the highest-weighted requirements are likely not permitted. This means that almost 40% of requirements in NIST 800-171 and CMMC Level 2 will not be allowed.
Developing A POAM
Usually, organizations will undergo an internal audit or external assessment, like SSE’s Gap Assessment, to identify and document gaps in their compliance.
Read more : What Goes Well With Chicken Fingers
A POAM will contain the following information:
- The area(s) of non-compliance with NIST 800-171
- The area(s) of the organization responsible for the system or network vulnerability
- The resources needed to solve the vulnerability
- Key project milestones with deadline dates
- The final date for becoming compliant
- The status of the improvement project
The final document will usually be generated in the form of a spreadsheet and should be continuously updated until it has been resolved.
Work With SSE
At SSE, we know these evolving requirements can feel overwhelming. As a Registered Provider Organization with the CMMC Accreditation Board, we are up to speed on the latest changes. As a DoD Contractor ourselves, we have the vetted IT tools, policy templates and assessment services mapped to NIST 800-171 and CMMC requirements to assist businesses on the road to compliance.
Let us demonstrate how we can help in preparing your business. Schedule your complimentary CMMC Readiness Assessment with our team now!
Source: https://t-tees.com
Category: WHAT
