As the Cybersecurity Maturity Model Certification (CMMC) continues to develop, many organizations in the Defense Industrial Base are left with questions regarding how the upcoming changes will affect their current cybersecurity program and where to focus future efforts. Besides the obvious shift from a self-attestation to a certification model and the incorporation of process maturity, a key difference that cannot be overlooked is the change in CMMC’s stance on Plans of Action and Milestones (PoAMs) for identified deficiencies. Under the current DFARS rule, PoAMs are an acceptable way to document gaps and identify remediation plans, and will not preclude an organization from doing business with the Department of Defense (DoD) as a either a prime or sub-prime contractor. This allowance will not be extended to the CMMC. This change can be a little confusing (and alarming) and takes a little digging to get to the bottom of.
The Facts
During a November 14th 2019 CDM (Continuous Diagnostics and Mitigation) summit, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber stated: “The challenge is when we get certified you have to ensure for the CMMC, those POAMs, those plans of action are closed so that we can validate.” If you are not familiar with Ms. Arrington by now (you should be!) she has been leading the CMMC charge from the DoD side since its inception.
Regan Edens, CMMC Board of Directors Chair for the Committee on Standards, also made a statement during the May 28th 2020 CMMC Accreditation Body National Conversation on CMMC Standards, that organizations currently compliant under DFARS 7012 should work towards closing their PoAMs because “the CMMC will not accept those PoAMs for third-party certification.”
Buried within the CMMC v1.02 appendices is the further confirmation of these statements:
So at this point, between the statements from authoritative sources, and the language within the CMMC itself, we can definitively say that open PoAM items for required practices within the desired maturity level will indeed prevent an organization from becoming certified at that level, at least until that PoAM is closed and the objective is met in a way that the Certified Third Party Assessor deems sufficient based on the assessment guidelines that have yet to be released.
So – pretty cut and dry right? No PoAMs allowed. Except, the CMMC itself requires you to have PoAMs…
The Confusion
Perhaps the biggest perceived contradiction is the fact that, while these authoritative sources have declared that a PoAM equals a failure under the CMMC model, the CMMC standard itself has a requirement for documenting and maintaining PoAMs – CA 2.159: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. This is a level two practice requirement, meaning any organization seeking certification for anything but level one will have to adhere.
All this information is confusing, at a glance, and seems to conflict – but we can unpack what this all means in the CMMC and see that there is a purpose.
Clarity
The key information that uncovers the purpose of the PoAM requirement is buried in the appendices of the CMMC standard documentation. We have recently been conducting CMMC readiness assessments for several clients, and there is currently no CMMC assessment standard available. For this reason, we rely heavily on the CMMC clarification statements for guidance – coupled with the appendices for specific examples of implementations for each practice, along with references to the external standards each practice is drawn from.
So, what then is the point of the CA 2.159 requirement? There are two scenarios, and examples for both can also be found in the CMMC appendices.
Scenario A: PoAMs can be used to track remediation items NOT related to CMMC practice deficiencies. One example given in the CMMC is to use PoAMs as a means of vulnerability management:
Scenario B: This example from the CMMC speaks to the more traditional definition of a PoAM as we know it from the previous DFARS requirement.
The above example gets to the meat of CA 2.159, which is a practice included as a means of aspirational planning documentation. An organization that currently meets criteria for CMMC L2, but aims to be certified at L3, can use PoAMs as their roadmap to compliance and eventually, certification.
If you split CA 2.159 in half, you can see how the two scenarios come into play: “to correct deficiencies” and “reduce or eliminate vulnerabilities.”
Resolution
At OCD Tech, we are currently conducting CMMC readiness assessments for organizations to help identify PoAMS needed to achieve their desired level of certification. We are advising these organizations, recommending strategies for closing identified gaps and moving towards compliance and eventual certification.
While there is currently no assessment guidance available, there is plenty of information available within the CMMC standard and outside materials that it references as to how practices should be implemented. OCD Tech has worked for over five years in the DFARS space, advising organizations on DFARS compliance strategies, from formation and implementation of controls and documentation, to providing support all the way through DFARS 7012 contract audit by the Defense Contract Management Agency. This experience gives us a unique look into the methodology currently used by the DoD to assess NIST 800-171 controls. We can expect there to be some reciprocity between these assessment methodologies.
It’s always important to note that while the CMMC is still rolling out, and may not affect your company for another year or more (CMMC will start to appear in select new contracts September 2020, and is projected to appear in all contracts by 2025), anyone working within the Defense Industrial Base today is still subject to current DFARS rule. The best bet for these organizations is to conduct a CMMC readiness assessment against the current CMMC standard (which is inclusive of the NIST 800-171 control set required by DFARS), which will ensure current DFARS compliance, with sites on closing PoAMs for future CMMC certification.
Contact Us
Please contact OCD Tech to discuss your current level of readiness for CMMC, and advise on how to remediate any lingering PoAM items.
