POA&M Pitfalls: What You Can’t Fix After Your CMMC Assessment
Not all CMMC requirements can be deferred or captured in a POA&M; understanding this distinction is essential for a successful CMMC assessment. Knowing which requirements must be fully implemented can make the difference between passing and falling short.
Risk Level
Read Time
Low Point, High Impact
If you are part of the CMMC ecosystem, you are likely well acquainted with the 110 controls across the model’s 14 control domains. However, if your environment requires remediation, there is often confusion around what can, and cannot, be included in a Plan of Action and Milestones (POA&M) following assessment results.
Below is a high-level overview of the nature of CMMC requirements, what a POA&M is, and how POA&Ms can best be utilized throughout your CMMC journey.
What Is a POA&M?
A CMMC POA&M is a formal document used by DoD/DoW contractors to outline how identified security gaps in their System Security Plan (SSP) will be addressed to achieve CMMC compliance. When most controls are met (at least 80% for a Level 2 assessment) a POA&M may allow for a temporary “conditional” status. Any identified deficiencies must be remediated within 180 days.
Think of the POA&M as your roadmap to remediation and, ultimately, assessment success. The document should clearly define remediation tasks, required resources, milestones, and target completion dates.
While the concept may seem straightforward, it’s important to understand that not all controls are eligible to be addressed through a POA&M - and the distinction is not always obvious.
What Can and Cannot Be Added to a POA&M?
Each CMMC control is assigned a point value of 1, 3, or 5 based on the DoD Scoring Methodology. A common misconception is that 1-point controls are “POA&M-able,” while 3- and 5-point controls are not.
In reality, the values are a bit more nuanced. Of the 110 total controls, 48 are valued at 1 point and are generally eligible for inclusion in a POA&M. However, assuming that all 1-point controls can be deferred through a POA&M can be risky.
There are several 1-point controls that cannot be added to a POA&M. Failure to meet these controls will result in a failed assessment, regardless of their low point value. Due to their critical importance, the following controls are not eligible for remediation through a POA&M and must be fully implemented at the time of assessment:
| Control ID | Control Name | Control Language |
|---|---|---|
| AC.L2-3.1.20 | External Connections | Verify and control/limit connections to and use of external systems |
| AC.L2-3.1.22 | Control Public Information | Control CUI posted or processed on publicly accessible systems |
| PE.L2-3.10.3 | Escort Visitors | Escort visitors and monitor visitor activity |
| PE.L2-3.10.4 | Physical Access Logs | Maintain audit logs of physical access |
| PE.L2-3.10.5 | Manage Physical Access | Control and manage physical access devices |
In addition to these, CA.L2-3.12.4 must be fully addressed; without an adequately documented System Security Plan containing all the sections required under 3.12.4, an assessment cannot proceed and results in a failed assessment by default.
What does this mean for my assessment?
You should always go into an assessment prepared and on track to score 110. Don’t start your assessment with open POA&Ms if you can avoid it. At a minimum, every objective of the following controls must be addressed or it will result in an automatic failed assessment, regardless of your final score:
| Domain | Controls that cannot be on a POA&M |
|---|---|
| Access Control | 3.1.1, 3.1.2, 3.1.5, 3.1.12, 3.1.13, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.22 |
| Awareness & Training | 3.2.1, 3.2.2 |
| Audit & Accountability | 3.3.1, 3.3.2, 3.3.5 |
| Configuration Management | 3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8 |
| Identification & Authentication | 3.5.1, 3.5.2, 3.5.3, 3.5.10 |
| Incident Response | 3.6.1, 3.6.2 |
| Maintenance | 3.7.1, 3.7.2, 3.7.4, 3.7.5 |
| Media Protection | 3.8.1, 3.8.2, 3.8.3, 3.8.7, 3.8.8 |
| Personnel Security | 3.9.1, 3.9.2 |
| Physical Protection | 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5 |
| Risk Assessment | 3.11.1, 3.11.2 |
| Security Assessment | 3.12.1, 3.12.2, 3.12.3, 3.12.4 |
| System & Communications Protection | 3.13.1, 3.13.2, 3.13.5, 3.13.6, 3.13.8, 3.13.11*, 3.13.15 |
| System & Information Integrity | 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 3.14.7 |
This means only 47 controls are allowed to be placed on a POA&M. Of these 47, you still need to achieve a score of 88 or higher - meaning at most, you can have only 19-22* requirements incomplete to be eligible for a conditional certification. This is a very small margin for error when it comes to CMMC compliance, and can be an expensive problem if you aren’t fully prepared for your assessment.
| L2.SC-3.13.11 |
|---|
| 3.13.11 is a unique requirement for scoring. If you have encryption for CUI but it is not FIPS-validated, it can be placed on a POA&M and 3 points are deducted from your score. If no encryption is in place for CUI, this cannot be placed on a POA&M and results in a failed assessment. If this is one of the controls on your POA&M, you can have up to 19 more gaps and still achieve conditional certification. If this is not on your POA&M, you can miss up to 22 other requirements and still pass the assessment. |
Can Hive Systems help?
If CMMC requirements seem confusing, just know you are not alone! Hive Systems offers CMMC readiness and implementation support to help navigate these requirements. Contact us and learn more
Get our free CMMC resources
Follow us - stay ahead.
