How Do NIST and POA&Ms Come into Play?
Prior security standards from NIST were self-attested, meaning you could simply say you were compliant and be compliant. With CMMC 2.0, each level’s requirements are now compliant with NIST and other cybersecurity standards used in the industry.
CMMC shifts the burden of proving cybersecurity compliance from self-assessment to external assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs).
Self-assessments should be conducted prior to working with C3PAOs, as these evaluations could yield findings that require you to develop a POAM, or Plan of Action and Milestones. This document details the specific measures your company will take to correct deficiencies found during a security control assessment, including tasks and the resources required to make the plan work.
In this new version of CMMC, the Department of Defense has allowed organizations to draft POAMs in place of certain CMMC requirements. However, in order to achieve this, organizations must comply with certain requirements prior to drafting POAMs that meet the remaining requirements in a specified timeline.
A POAM can be valuable for driving your team’s preparation toward higher levels of cybersecurity maturity. But before you’re ready for evaluation, there’s documentation to complete, technology to deploy, processes and capabilities and controls to put in place, acronyms to make sense of . . . Deep breath. You can do this. And we can help.