Mastering the Plan of Action and Milestones: A Comprehensive Guide

A Plan of Action and Milestones (POAM) is essentially a roadmap for addressing gaps in an organization’s System Security Plan (SSP), specifically, those controls needed to comply with the NIST 800-171 cyber security framework.  It functions like a corrective action plan, outlining the steps needed to identify, prioritize, and ultimately implement the missing controls.

POAMs are created to systematically address the missing controls discovered during a gap analysis. They help organizations track progress in closing these gaps and achieving compliance with DFARS 7012 and NIST 800-171.

If you need to achieve compliance in order to secure a contract with the United States government, and have 1) undergone a gap analysis and 2) have a completed SSP in place, you’re ready for the next step - Creating a POAM.

The Role of POAM in CMMC Compliance

In the early days of cybersecurity compliance, the DoD issued a clause known as DFARS 252.204-7012. The goal of DFARS 7012 was to ensure that contractors took the action necessary to protect themselves (and, by association, the DoD) from persistent cyber threats by complying with NIST SP 800-171 controls. It quickly became apparent that companies weren’t actually complying with DFARS, as it was built on the principle of self-assessment. 

In other words, there was no formal mechanism that could verify a contractor’s compliance with the NIST 800-171. This led to the development and introduction of the Cybersecurity Maturity Model Certification. The Cybersecurity Maturity Model Certification (CMMC) program is a framework designed to assess the cybersecurity preparedness of organizations in the Department of Defense (DoD) supply chain.

CMMC introduced a certification system with independent audits. A POAM is a project plan with estimated dates for implementing the controls, policies, and procedures identified as missing in the gap analysis.  

The POAM functions as a roadmap, outlining specific steps to address these shortcomings. These steps might involve:

  • Implementing new policies or procedures
  • Identifying or fulfilling roles required by NIST 800-171
  • Acquiring new technology
  • Conducting employee training

By identifying gaps and creating a roadmap to close them, a POAM helps contractors prepare for a successful CMMC audit. It also promotes a proactive approach to cybersecurity compliance rather than waiting for a potential audit to reveal deficiencies.

What is a Plan of Action and Milestones (POAM)?

A Plan of Action and Milestones (POAM) is a strategic document that outlines the actions an organization needs to take to achieve compliance with NIST 800-171. It's a roadmap that guides the project team, detailing the tasks, milestones, and resources necessary to reach the desired outcome.

The POAM is more than just an action plan; it's a project plan that helps organizations manage their security posture, track progress, and ensure that all tasks are completed on time. The tasks within the POAM are assigned scheduled completion dates, making it easier to monitor progress as goals are accomplished and address any delays promptly. It also details resources required, identifies tasks, and system weaknesses that can improve your security posture.

A well-structured POAM is also a regulatory requirement for anyone who wants to work with the federal government. 

The POAM, like any other project plan, is a temporary document that only lives as long as the manufacturer is not compliant with NIST 800-171.  Once all 110 controls are implemented (which is the requirement of CMMC and DFARS), the POAM is finished an simply becomes an artifact.

The Process of Creating a Plan of Action and Milestones

Creating a Plan of Action and Milestones (POAM) is a systematic approach to enhancing your cyber infrastructure's security. It involves a series of steps, from receiving audit reports to implementing the corrective action plan. This process allows business owners to make informed, risk-based decisions, ensuring the resilience of their system.

Receiving Gap AnalysisReports

When a gap analysis or risk assessment is conducted, the first step in the remediation process is receiving the gap analysis report. This report is a crucial tool that highlights potential areas of concern within your environment. It's an essential part of maintaining overall security and making risk-based decisions.

Identifying Opportunities to Improve Security

The dynamic nature of cyber threats necessitates ongoing vigilance to keep systems robust and resilient. When audits are conducted on an environment, they often reveal areas where the security controls can be fortified. This isn't a reflection of inadequacy on the part of the business owner or the system builder but rather an indication of the ever-evolving landscape of cybersecurity.

The term "weakness" is often used in audit reports to describe potential threats and vulnerabilities. These weaknesses can sometimes be addressed immediately, while at other times, a more comprehensive Plan of Action and Milestones (POAM) is required. Occasionally, an existing control might partially mitigate the risk, leading the team to deem the risk as acceptable.

The identification of these opportunities is crucial for the overall security of the CMS system. It allows the team to proactively address potential threats, thereby strengthening the cyberinfrastructure and reducing the system's risk level. This process is a testament to the fact that security is never a one-time task but a continuous journey of improvement and adaptation.

Analyzing Risks and Options

This step involves a thorough examination of the identified system vulnerabilities and potential threats. The goal is to understand the risk level each weakness poses to the overall security of the CMS system and the business owner's operations.

The analysis is not just about identifying the risks, but also about understanding their potential impact. This involves considering the likelihood of a risk being exploited and the possible consequences on the system and users. The severity level of each risk is also taken into account, as it indicates the significance of the weakness to the system's security and privacy posture.

Based on the results of these analyses, the team can then decide on the best course of action. This could involve deeming the risk as "acceptable" and developing a Risk-Based Decision (RBD) to justify this acceptance. If the risk is deemed "unacceptable", the team will need to move on to develop a corrective action plan. This decision-making process is crucial in maintaining a resilient cyber infrastructure and protecting sensitive information.

Developing a Corrective Action Plan

A corrective action plan outlines the missing controls identified during the assessment of your cyber infrastructure. It also includes the milestones that your team will take to mitigate the risks.

The plan should be developed collaboratively, involving your integrated project team and other stakeholders. Each finding should have at least one corresponding milestone, complete with an estimated completion date and resource requirements.

Once the plan is formalized, it is entered into a system as a series of milestone records.

Implementing the Plan of Action

As a business owner, it's your responsibility to ensure that the corrective action plan is executed effectively. This involves allocating the necessary resources, setting realistic deadlines, and continuously monitoring the progress.

The POAM is not a one-time activity. It requires regular updates as controls are implemented to ensure its effectiveness. This flexibility allows for data-based decisions and ensures that your POAM is effective.

What Should Your POAM Include?

A good POAM (Plan of Action and Milestones) should include several key elements to effectively address cybersecurity weaknesses and track progress toward remediation. 

Identified Gaps:

  • This includes each non-compliant control and sub-control.

Action Items:

  • Outline the specific steps that need to be taken to remediate each issue.
  • These actions should be clear, concise, and achievable.

Resource Allocation:

  • Identify the resources required to complete the action items.
  • This could involve assigning personnel with the necessary expertise, budgeting for required tools or software, or allocating other necessary resources.

Milestones:

  • Define specific, measurable checkpoints that mark progress toward completing the action items.
  • Milestones should be achievable and serve as a way to track the overall progress of the POAM.

Completion Dates:

  • Set target dates for achieving each milestone and ultimately completing the entire POAM.
  • Deadlines should be realistic and consider the complexity of the tasks and resource availability.

Accountability:

  • Assign clear ownership for each action item and milestone.
  • This ensures specific individuals are responsible for completing tasks and achieving goals.

Monitoring and Reporting:

  • Establish a process for monitoring progress toward milestones and completion dates.
  • Regularly review and update the POAM as needed to reflect changes or unforeseen circumstances.

Supporting Documentation:

  • Attach relevant documentation to support the POAM, such as risk assessments, vulnerability reports, or references to security policies.

By incorporating these elements, your POAM becomes a comprehensive and actionable plan for achieving DFARS compliance.

Mastering the Plan of Action and Milestones

A well-crafted POAM can help you track progress toward achieving regulatory compliance, mitigating risks, and ensuring the organization is prepared to face any cyber threat.

Remember, the journey to mastering POAM is a continuous one. It requires the integration of the project team, business owners, and even third parties. If you need help with your POAM, it's time to get the experts on board. Get in touch with Site2 today.