Why your organization needs a POA&M
Small businesses working on DoD contracts may come in contact with Controlled Unclassified Information (CUI). The DoD requires compliance with DFARS rule 252.204-7012 to protect CUI, which means small businesses must implement the cybersecurity safeguards outlined in the National Institutes of Standards and Technology (NIST) 800-171 standard. One of the safeguards in this standard requires organizations to periodically assess their cybersecurity risk (first and foremost the risks associated with incomplete 800-171 implementation), and maintain a Plan of Actions and Milestones (POA&M) outlining the specific steps the organization will execute to mitigate those risks. The DoD has stated that some POA&M items will be allowed at the time of Cybersecurity Maturity Model Certification (CMMC) assessment. In time, all DoD contractors that handle CUI will have to obtain a CMMC certification.
Totem can help your small business manage its POA&M.
How Totem can help you manage your NIST/CMMC POA&M
Your organization can rely on Totem to help manage its POA&M in three interrelated ways:
- Attend one of our DFARS/NIST/CMMC Workshops. We educate you on the basics of POA&M, and empower you to manage your POA&M.
- Subscribe to our Totem™ Cybersecurity Compliance Management software. Totem™ has a simple, intuitive POA&M workflow built in.
- Engage us for a custom DFARS/NIST/CMMC gap assessment and strategic policy planning session. Let us help you build a meaningful POA&M.
Each of these options aligns with our DFARS/NIST/CMMC Preparation Methodology. With our approach, you’ll
- start by gaining an understanding of the requirements,
- continue by cataloging and categorizing your organizational assets –including the CUI you handle– according to government guidelines,
- and then performing an assessment against the NIST 800-171 standard in parallel with building an 800-171-aligned System Security Plan (SSP).
Then the results of the assessment and SSP build facilitate the construction of Corrective Action Plans (CAPs) to remediate deficient cybersecurity capabilities — i.e. those safeguards that your organization has planned to implement, but just hasn’t gotten around to yet. The sum total of all your organization’s CAPs is the POA&M.
In the Workshop, we teach you how to do all these things, and provide access to the Totem™ tool to help manage the assessment, SSP, and POA&M. After the Workshop, you can subscribe to Totem™ to continue managing your POA&M; after all, the POA&M is a “living” thing, in the sense that there is always something to do to make your organization more secure.
If, after the Workshop, you realize your organization needs a little more help, you can engage us for a one-on-one gap assessment. During this engagement, we’ll use the Totem™ tool workflow to craft your NIST/CMMC POA&M, in which we’ll lay out in detail the individual “bite sized” CAPs your organization will execute to mitigate the risks and comply with the standard.
We’ve been managing POA&Ms for the DoD and US Federal Government enterprise IT (big ones, like the US Air Force and Centers for Medicare and Medicaid Systems (CMS)) for over a decade now. We’d love to bring that experience and know-how to bear on your small business cybersecurity compliance needs. We’ll help you develop common sense, cost-effective CAPs, and help you manage your cyber risk lifecycle in a NIST/CMMC compliant POA&M. Click the button below if you’d like to know more about how we can help with your POA&M.
