#GovConThoughts: CMMC POA&Ms May Be Helpful, But Full Compliance Is Still Required
[My #govconthoughts series provides a quick take on recent developments in the government contracting space.]
I know some folks in the government contracting space were excited to learn that the Department of Defense's Cybersecurity Maturity Model Certification ("CMMC") proposed rule allows companies to use a plan of action and milestone ("POA&M") to meet the CMMC requirements. But don't let the use of a POA&M cloud your view of what the rule requires: full compliance.
Yes, it is true that POA&Ms are permitted under CMMC Levels 2 and 3 (not 1). But even then, POA&Ms are only permitted under certain and limited circumstances. For example, to be eligible for a Level 2 POA&M, contractors must first obtain a minimum score of 88 out of 110 (.8), with the caveat that some of the cyber requirements must be met. Beyond that, contractors also are required to close-out the POA&M within 180 days of the initial assessment.
Thus, with the minimum point threshold and short 180-day close-out window, the use of POA&Ms necessarily means that the contractor is getting close to the finish line in satisfying the CMMC requirements. Critically, if a POA&M is not timely closed out, the contractor's conditional status will expire, which may ultimately impact bidding opportunities.
So, while the proposed rule allows the defense industrial base to use POA&Ms in certain circumstances, full CMMC compliance should be your North Star.
. . .
Comments