What’s the current buzz in the DoD community? Since the publishing of the CMMC 2.0 Final Rule in late December 2023, contractors have been exploring and discussing this comprehensive update from CMMC 1.0. In this blog post, we’ll delve into one crucial aspect of CMMC 2.0: Plans of Actions & Milestones (POAM) and how the updates will make certain aspects of CMMC 2.0 MORE business friendly.
TIP!:
It’s essential to note that POA&Ms are applicable to a select subset of NIST SP 800-171 rev2 controls and must be resolved within a strict 180-day timeframe.
So, what’s the scoop with CMMC 2.0 for organizations striving for CMMC certification? Select time-limited POA&Ms will now be permitted. This marks a significant departure from the rigid all-or-nothing demands of achieving a flawless score under CMMC 1.0. Businesses can now enjoy increased flexibility for specific controls, allowing for resource allocation over time. It’s a much-needed shift towards a more accommodating framework for those pursuing certification.
Under the published rule, a conditional certification may be issued with POA&Ms under certain conditions including:
- Must have a minimum assessment score of 80% (The assessment score divided by the total number of security requirements is greater than or equal to 0.8)
- POA&M items are required to be closed out within 180 days (C3PAO comes back to reassess)
- None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology
- SC.L2–3.13.11 (FIPS-validated encryption) is a 5-point control that can be POA&M’d if “partially implemented” (encryption is used, but it is not FIPS validated)
How will POA&Ms help make achieving CMMC certification easier?
Certain controls, generally those rated 1 point, can now be implemented overtime, leveraging POA&Ms. That said, there are some exceptions.
- No POA&Ms are allowed for the 17 foundational CMMC Level 1 Controls. These key controls have been deemed critical cybersecurity practices for the DoD supply chain and MUST be implemented in full to achieve a CMMC certification.
- Most controls with a point value of “1” can have a POA&M with the following exceptions:
❌ AC.L1-3.1.20 – External Connections
❌ AC.L1-3.1.22 – Control Public Information
❌ PE.L1-3.10.3 – Escort Visitors
❌ PE.L1-3.10.4 – Physical Access Logs
❌ PE.L1-3.10.5 – Manage Physical Access
Plus, with the publishing of the proposed final CMCC 2.0 rule, a minimum score was born!
For organizations to be eligible for POA&Ms in certain requirements, they must have a minimum score of 80% against the NIST SP 800-171 rev2 framework. The assessment score starts at a perfect 110, and points are deducted for each area of deficiency for a possible score of negative 203. The controls are weighted at 1 point, 3 points, or 5 points, depending on their criticality. Now we know that contractors will be expected to have a minimum score of 80% to be eligible for a CMMC Certification.
Want to learn more about CMMC 2.0? Our expert team at Alluvionic is fully prepared to guide you through, contact our CMMC specialts at Alluvionic.com and continue reading about the CMMC 2.0 final rule from our December 2023 update.
