SamSearch
    federal_newspolicy

    CMMC-AB Updates POA&M Rules for Level 2 Assessments

    The CMMC-AB has clarified that only a limited set of controls are deferrable under POA&M for Level 2 assessments. Conditional certification becomes the status for those utilizing POA&Ms, emphasizing the need for contractors to meet critical controls before assessment. The 180-day remediation period poses additional challenges for compliance.

    Cybersecurity Maturity Model Certification (CMMC) Accreditation Body

    Key Signals

    • CMMC-AB clarifies POA&M rules for Level 2 assessments
    • Contractors face 180-day window for POA&M remediation
    • SSP requirement is non-deferrable in Level 2 assessments

    "A POA&M only gets you 'Conditional' status, not a clean pass. To even qualify, you need all three: score at least 88 of 110, nothing above 1 point under the 170.24 scoring methodology on the plan, and none of the six 1-point controls the rule names out."

    Original poster

    The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) has recently issued critical clarifications regarding the application of Plan of Action and Milestones (POA&M) rules under 32 CFR 170.21 specifically for Level 2 CMMC assessments. This updated guidance indicates that contractors pursuing CMMC certification need to fully understand the boundaries of flexibility that POA&Ms provide. With these rules, only a limited number of controls can be deferred, and reliance on a POA&M could result in obtaining a "Conditional" certification status rather than a complete certification pass.

    This has significant implications for contractors as various critical controls, including the System Security Plan (SSP) requirement, are non-deferrable. Contractors must ensure that they have fully met these key requirements ahead of their assessments. Failure to do so may lead to not only delays in the certification process but also potential fallout when it comes to contract eligibility, particularly for contracts that necessitate compliance with CMMC Level 2.

    One of the notable aspects of this clarification is that once a contractor undergoes an assessment and a POA&M is generated, they face a strict 180-day remediation window to address any deficiencies documented therein. This tight timeline demands proactive planning on the part of organizations, focusing on resource allocation and risk management strategies to efficiently address compliance issues post-assessment. In this regard, it is crucial for contractors and procurement professionals to prioritize the completion of non-deferrable controls, especially the SSP, prior to scheduling their assessments in order to minimize risks linked to conditional outcomes.

    A key point of concern raised within the contractor community is the variability seen among assessors regarding the enforcement of SSP completeness. This underscores the necessity for contractors to emphasize core control compliance from the outset to avoid complications during the assessment phase. With varied interpretations and applications of the CMMC rules, the onus remains on contractors to be thoroughly prepared.

    Furthermore, this new guidance could substantially influence contractors' readiness strategies leading up to assessment periods. Organizations may need to reassess how they approach bidding for contracts that specify CMMC Level 2 compliance now that the implications of POA&Ms are more clearly defined. The importance of obtaining a clean pass rather than settling for a conditional certification will become a key decision point for many contractors trying to navigate the complexities of government procurement in the cybersecurity landscape.

    This evolving scenario can be summarized succinctly with advice circulating within the contractor community. As one original poster accurately noted: "A POA&M only gets you 'Conditional' status, not a clean pass. To even qualify, you need all three: score at least 88 of 110, nothing above 1 point under the 170.24 scoring methodology on the plan, and none of the six 1-point controls the rule names out." The implications here extend well beyond mere compliance; they touch upon the strategic planning necessary for successful participation in the federal contracting space, particularly for those entities involved in supporting national security and defense initiatives.

    In conclusion, with the CMMC-AB clarifying the rules regarding POA&Ms, procurement professionals and contractors are urged to recalibrate their compliance strategies. Understanding that POA&Ms provide limited flexibility and do not assure full certification is vital for maintaining eligibility for lucrative contracts.

    • The recent clarification from CMMC-AB alters the procurement landscape for contractors seeking Level 2 certification.
    • Understanding POA&M limitations is crucial for compliance and avoiding conditional certification.
    • Meeting critical controls like the SSP before assessments is imperative for smooth certification.
    • Contractors are granted only a 180-day window to remediate flagged issues post-assessment.
    • Variability in assessor enforcement highlights the need for thorough upfront compliance checks.
    • The emphasis on a complete certification over conditional status impacts contract bidding decisions moving forward.
    • Contractors should actively engage in strategic planning around resource allocation to manage remediation efforts effectively.

    Agencies

    • Cybersecurity Maturity Model Certification (CMMC) Accreditation Body

    Sources

    CybersecurityInformation TechnologyCMMC ComplianceFederal Contracting
    ← Back to News