What is a POA&M in CMMC?
If your DIB organization has been preparing for CMMC assessments (coming 2025), you may have heard a little something about POA&Ms. What an acronym!...
2 min read
Chelsea Zimmerman : Jun 6, 2024 11:48:27 AM
The upcoming Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense (DoD) makes the adoption of NIST SP 800-171 mandatory for the Defense Industrial Base (DIB). This includes both prime contractors and subcontractors.
NIST SP 800-171 is a publication that lists specific security controls for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. It puts forth a minimum standard of cybersecurity protections for businesses working with the Federal Government to ensure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are secure.
CMMC is designed to give the DoD a way to enforce the protection of national security information and American ingenuity.
CMMC only applies to DIB organizations. DIB organizations enable research and development of military weapons systems, subsystems, and components or parts. DIB companies perform under contract to the Department of Defense.
Image from ControlCase
This is ‘foundational’ cyber protection and requires the implementation of 17 controls from NIST SP 800-171. In addition, an annual self-assessment is required. This level is mainly for a DIB company that does not process, store, or transmit CUI on its unclassified network, but does process, store or handle FCI.
This is referred to as ‘Advanced’ and includes all 110 controls from NIST SP 800-171. Compliance is measured with a yearly self-assessment for level 2, or, for contracts with information critical to national security, a triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). For scoring, controls will be weighted at 1, 3, or 5 points depending on risk. Each control not met is points docked. The highest possible score is 110 and the lowest could be in the negatives.
This level builds on the previous two levels by requiring full implementation of all 110 controls from NIST SP 800-171 plus controls from NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information). This ‘Expert’ level advances to a triennial assessment led by government officials.
TotalCare IT can help your Idaho organization prepare for CMMC by walking you through an alignment to the NIST standards.
We will create a roadmap for you that clearly outlines where your organization is currently meeting NIST SP 800-171 controls and where you need improvement.
Then, as part of our ongoing compliance management service, we help you implement all the controls in your organization. We can also help you create POA&Ms if needed and walk your organization through self-assessments.
Implementing security controls does not happen overnight. If your DIB organization hasn’t started preparing for the rollout of CMMC in 2025, what are you waiting for? Give us a call today to get started! (208) 881-9713
If your DIB organization has been preparing for CMMC assessments (coming 2025), you may have heard a little something about POA&Ms. What an acronym!...
NIST SP 800-171 is a special publication put out by the National Institute of Standards and Technology (NIST) that addresses Protecting Controlled...
1 min read
Controlled Unclassified Information (CUI) is a category of unclassified information that requires protection or dissemination controls according to...