What is a POAM in CMMC 2.0?

What is a POAM in CMMC 2.0?

POAM is an acronym that appears often in CMMC 2.0. POAM stands for Plan of Actions and Milestones. What does that mean and how does it relate to CMMC? Let’s take a look and learn more. 
What is a POAM?

Complying with NIST SP 800-171r2 controls for CMMC 2.0 is a binary experience. You either pass every aspect of that control or you do not. If you are close to complying but not quite there, your POAM can be your contingency plan for those final steps toward compliance. It is your documentation on how you will fix any gaps and make sure you are in compliance. There is a catch, however. Some of the NIST security controls cannot have a POAM submitted. They have to be passed completely on the first try.

The CMMC 2.0 Point System

This is a good time to briefly discuss how CMMC 2.0 scoring will work. Every control in the NIST SP 800-171r2 standard is valued at 1, 3, or 5 points. The first step an organization must meet is to comply with 88 out of the 110 possible controls. If you've met 88 out of the 110 controls and the remaining 22 are close to complete, you might be eligible for POAMs. 

There are two more catches to this scoring as it relates to POAMs. First, only controls that are scored at 1 points can have a POAM assigned to them. Also, your CMMC Third Party Assessment Organization (C3PAO) has to sign off on these controls as POAMs. 

If your organization determines that a few controls need to have POAMs submitted for them, you cannot indicate a timeline of “TBD.” These plans must be enacted within 180 days. After that, the POAM expires. 

POAMs Are Not Shortcuts

A NIST assessment is not just a trial run that you can use POAMs to complete. POAMs last for 180 days, and it is incumbent on the organization to make sure those POAMs are completed. Also remember, POAMs can be rejected by the C3PAO.

CMMC 2.0 is Complex

Many of the comments on CMMC 2.0 are related to POAMs, and they generate many questions  about the proposed rule. Some contractors have concerns about meeting the controls valued and 3 and 5 points that cannot have POAMs assigned to them. If you have questions about POAMs please feel free to contact us. 

Show Policy

New! NIST 800-171 assessment checklist!

Latest Resources

See all resources