How to Create a Plan of Action & Milestones for NIST SP 800-171
By: Omer Kaan Aslim
October 26, 2021
A plan of action and milestones document is critical to meeting your NIST SP 800-171 requirements. Here is how to make one.
What is a Plan of Action & Milestones (POA&M) Document?
According to the NIST glossary, a plan of action and milestones is “a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”
A POA&M is Required for the Implementation of NIST SP 800-171
To meet NIST SP 800-171 requirements you must have a plan of action & milestones document. NIST SP 800-171 security control 3.12.2 reads “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.”
What Does a POA&M Look Like?
POA&M Generated by Compliance Accelerator, downloadable as an excel
A plan of action and milestones document is generally created in the form of a spreadsheet. The document lists deficiencies in your organization’s security program. These can be deficiencies in the implementation of technical, administrative, and physical security controls. The POA&M describes the deficiencies and how they will be corrected. The POA&M also documents vulnerabilities and describes how they will be reduced or eliminated.
Using Automation to Create a POA&M
Cub Cyber apps, allow you to manage your POA&M items by managing due dates, staff, and budgets.
Using the applications available from Cub Cyber you can auto generate your plan of action & milestones document. To do this, you need to complete the assessment survey in the Compliance Accelerator app. After you complete the survey, the app will automatically generate your plan of action and milestones document. All you have to do is assign users and dates to the POA&M tasks.
Do You Need a POA&M for CMMC?
Yes. You still need a POA&M to meet CMMC requirements if you are aiming to earn a CMMC above level two. CMMC practice CA.2.159 reads “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.”
A POA&M is a Living Document
It is not uncommon to hear consultants say that you need to complete all items on your POA&M to meet CMMC or NIST SP 800-171 requirements. This is only partially correct. To meet CMMC and NIST SP 800-171 requirements you obviously need to implement all of the associated requirements. The requirements you are not meeting are documented in your POA&M, these need to be completed to be fully compliant, however that does not mean that you will never use your POA&M again. Your POA&M is a living resource used to document vulnerabilities found when performing vulnerability scans, security assessments, and other reviews such as testing incident response plans and business continuity plans. Any deficiency you identify in your security program needs to be documented in your POA&M. It is impossible for an information system to ever be 100% secure and that is okay. What is important is demonstrating due care and due diligence by implementing your contractually mandated requirements.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance