CMMC 2.0 POA&M Guidance from the Proposed Rule (2024)

grcacademy.io / @Jacob Hill

The United States Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) 1.0 didn’t allow Plan of Actions and Milestones (POA&Ms).

According to NIST Special Publication 800-53 r5, a POA&M is “a document that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, milestones for meeting the tasks, and the scheduled completion dates for the milestones.”

A common response from industry was to ask the DoD to reflect on their own systems, and to allow industry the same amount of flexibility as they do on their own.

The long awaited CMMC proposed rule was released the Friday before Christmas! The rule clearly specifies when POA&Ms are allowed and when they are not.

Assessment POA&Ms and Operational POA&Ms

The CMMC rule differentiates between an assessment POA&M and an operational POA&M.

Assessment POA&M:

For purposes of conducting a CMMC assessment and satisfying the contractual eligibility requirements for CMMC Level 1, 2, or 3, an OSA is only permitted to have a POA&M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions…

CMMC Proposed Rule – https://www.federalregister.gov/d/2023-27280/p-1384

Under CMMC 1.0 no assessment POA&Ms were allowed!

Operational POA&M:

An OSA shall maintain a POA&M, as applicable, as part of operations under the security requirement for Risk Assessments and Continuous Monitoring (CA.L2–3.12.2) for CMMC Levels 2 and 3…

CMMC Proposed Rule – https://www.federalregister.gov/d/2023-27280/p-1384

The DoD understands that issues will occur over time after the assessment, but they want the CMMC controls as compliant as possible at the time of assessment.

I think this makes a lot of sense. Although the contractor will be required to submit annual affirmations of continued compliance, CMC doesn’t have an RMF-like continuous monitoring capability where the government has at least periodic insight into the detailed security state of the system (in this case the organization).

POA&M Closeouts

If you come out of your CMMC level 2 or level 3 assessment with a POA&M, you must complete all of the findings within 6 months.

“If the POA&M is not closed out within the 180-day timeframe, the Conditional Level 2 Certification status will expire.”

CMMC Proposed Rule – https://www.federalregister.gov/d/2023-27280/p-1314

This also applies to CMMC level 2 self-assessments and CMMC level 3 certifications.

And if you have an active contract with CMMC requirements, “standard contractual remedies” will apply, and the OSC will be ineligible for additional awards” within the impacted CMMC assessment scope.

Our friend Shauna Weatherly of FedSubK.com provided context to what “standard contractual remedies” could include:

Those [standard contractual remedies] would be up to the agency, but I could see variations from a price adjustment in favor of the agency to contract termination for default (T4D), depending on how egregious the issues are, the contractor’s effort (or lack thereof) to correct, and impacts to the Government mission.

Under a Cost-plus-Award-Fee (CPAF) or Cost-plus-Incentive-Fee (CPIF) type contract it could result in a loss of fee, depending on the structure or basis of fee payments.

Under Performance-Based Contracts, maintaining compliance could be an element in the Quality Assurance Surveillance Plan (QASP) and result in reduced contract payments.

It would also most likely result in an overall negative past performance rating in CPARS, or at the very least negative ratings for specific CPARS element(s), which follows a contractor for three years for source selection purposes as they seek new awards.

Shauna Weatherly, founder of FedSubK.com, retired 35-year federal acquisition professional

Timing here is very important. If a C3PAO or DIBCAC was involved in the assessment, they have to perform a POA&M closeout with you. Depending on the controls that were POA&M’d, that might require another onsite visit and more time to accomplish the closeout.

I imagine there will be many companies that run into problems because they delayed closing out their assessment POA&M.

Controls that can be placed on a POA&M

The controls that are allowed to be POA&M’d can be easily viewed on our CMMC control explorer. They are also listed below.

CMMC Level 1

  • No POA&Ms are allowed in CMMC level 1

CMMC Level 2

POA&Ms are allowed under certain conditions:

  • Must have a minimum assessment score of 80%
  • POA&M items are required to be closed out within 180 days (C3PAO comes back to verify)
  • SC.L2–3.13.11 (FIPS-validated encryption)
    • 5-point control that can be POA&M’d if “partially implemented” (encryption is used, but it is not FIPS validated)
  • Most controls with a point value of “1” can be POA&M’d

POA&Ms are not allowed for any of the following 1-point controls:

CMMC Level 3

POA&Ms are allowed under certain conditions:

  • Must have a minimum assessment score of 80%
  • POA&M items are required to be closed out within 180 days (DIBCAC comes back to verify)

Cannot POA&M any of the following controls:

published 6 months ago


Previous

CMMC 2.11 Proposed Rule Released (December 2023)
published 6 months ago

Next

GRC Academy Partners with PECB
published 5 months ago
See all items from the same source