The use of software to manage POA&M is not a legal mandate. However, businesses working under DoD contracts are required to comply with DFARS rule 252.204-7012 to protect controlled unclassified information. Ultimately, that compliance means a business must implement the cybersecurity requirements outlined in the National Institutes of Standards and Technology (NIST) 800-171 standard.
Within this standard, a business is required to systematically assess its cybersecurity risk, namely the risks associated with incomplete 800-171 compliance. Additionally, the business is also required to instill a Plan of Action and Milestones (POA&M), identifying steps that the business will carry out to mitigate those incomplete 800-171 risks.
Due to the complexities, timelines and budget, automating your POA&M management with Onspring software is often the most efficient way to streamline workflows, reporting and documentation.