Whether you’re a long-time cloud services provider or services business looking into dipping your toes into government contracts, or a new startup aiming to become a government services business, you’re likely encountering a dense wall of acronyms, paperwork, auditing, and standards that stymies your business growth. Even understanding the broad strokes of compliance can be difficult, let alone getting into the weeds with specific details, and all of that is before you even get to the point where you’re making tangible progress and implementations in your systems.
One area that often comes up as a giant question mark is the CMMC program, compliance with CMMC rules, and the POAM component of the whole process. We’ve touched on these briefly in previous posts, but today we’ll take a deeper dive into this specific aspect of the process. As always, if you have any questions about anything in this post or the process itself, feel free to ask us in the comments or reach out directly.
What is CMMC?
Let’s start with the big one: what even is CMMC and why does compliance with it matter?
CMMC stands for Cybersecurity Maturity Model Certification. It’s a certification program for contractors looking to work with the government through primes, and the government in general, it (currently) only applies to the Department of Defense and its related agencies and departments. Since the DoD is large and heavily targeted for cyberespionage, cybercrime, and various other sorts of attacks, cybersecurity needs to be taken very seriously at every level of the organization.
The CMMC in general was created in 2020, and has been updated frequently. Currently, just three years after creation, it has progressed to CMMC 2.0; this is unusually fast for a government body where it takes decades, but since cybersecurity is a very, very fast-evolving battleground, these kinds of rapid updates are necessary.
The CMMC framework used to be divided into five tiered levels of increasing standards, and further divided into both processes and practices. The shift to CMMC 2.0 streamlined this, merging processes and practices and reducing it to just three tiers. The tiers are:
- Level 1: Foundational
- Level 2: Advanced
- Level 3: Expert
The Foundational level, or Level 1, is the least onerous and requires that organizations certified at that level practice basic cybersecurity. There aren’t high-level standards to follow and there’s no third-party assessment for certification. In fact, it’s a self-assessment that the organization reviews annually.
Level 1 is just for contractors and subcontractors working with the Department of Defense who handle unclassified and uncontrolled information and FCI, or Federal Contract Information. FCI is defined as information that is not intended for public release, and that is provided by or generated for the government. In other words, it’s about the least secretive secret information the government has.
The Advanced level, or Level 2, is where things “get real” for contractors. This level is where third-party auditing comes into play, and where the standards are taken much more seriously. Organizations certifying at level 2 need to document their business processes in a repeatable way, such that they can be demonstrated to auditors.
Of course, none of this is nebulous or hand-waved. It’s all thoroughly defined in NIST SP 800-171. More on that later.
Level 2 compliance is required of DoD contractors and subcontractors that handle CUI. CUI is Controlled Unclassified Information, and is a very specific kind of definition for information that is important enough to be controlled, but isn’t deemed to be actually classified. You can read more about CUI in our practical guide to understanding CUI regulations, here.
Two important notes here. The first is that subcontractors that nominally would be required to meet Level 2 may actually only need to meet Level 1 if their prime contractor meets Level 2 and only passes select information to them.
The second is that Level 2 certification must be proven via an audit from a certified third-party assessment organization, or C3PAO. As such, managing the documentation and maintenance of security processes on an ongoing basis is critical; even if the organization maintains their security, errors in documentation of those processes can disqualify them until those issues are fixed.
The Expert level, or Level 3, is the highest level of cybersecurity governed by CMMC. This is meant to address APTs, or Advanced Persistent Threats.
What are APTs? NIST defines them as adversaries that possess sophisticated levels of expertise and resources that allow it to leverage multiple attack vectors for detailed attacks involving establishing and extending footholds undetected, exfiltrating information, undermining aspects of an organization, and more.
APTs are assigned names and identification numbers by the cybersecurity researchers studying them. They are often nation-state actors such as China, Russia, North Korean, and Iran, but also include state-backed independent groups and hacking organizations, among others.
Level 3 protects CUI using all of the same standards and protections as Level 2, but includes an additional 20 practices defined by previous iterations of CMMC, as well as DFARS 252.204-7012 rules for additional reporting, and more. It is, essentially, the strongest level of security required for DoD contractors dealing with sensitive information outside of classified and secret information.
Does Your Organization Need CMMC Compliance?
Unlike many standards when working with the government, this question is actually easy to answer.
Do you intend to be a contractor working with the Department of Defense? If yes, you will need to comply with some level of CMMC, which will be defined by the type of information you’ll be handling and the level of threat you’ll face. If no – such as if you want to work with other government agencies but not the DoD – you don’t need to meet CMMC auditing requirements. You still can, if you want to, but there’s no specific purpose to it unless you later decide to work with the DoD or with a Prime contractor that works for the DoD.
The CMMC’s stated goal is to require compliance with all DoD contractors and subcontractors except those who only deal with commercial off-the-shelf software, or COTS. It’s a requirement for contractors, subcontractors, and everyone in a contractor’s supply chain.
CMMC, DFARS, and NIST SP 800-171
CMMC is based almost entirely on NIST SP 800-171 for the definitions of specific security controls that need to be in place for various information processes. Additional some specific requirements for CMMC compliance come from DFARS publications like the above-mentioned 252.204-7012.
The current breakdown is this:
- Level 1 has 15 requirements and is based on annual self-assessment.
- Level 2 has 110 requirements, derived from NIST SP 800-171, and requires third-party auditing every three years.
- Level 3 has the same 110 requirements, plus additional requirements based on NIST SP 800-172, DFARs publications, and specific requirements based on the individual contract. It requires similar auditing every three years and annual affirmation.
NIST SP 800-171 has 110 controls spread across 14 domains.
- Access Control, which is controlling who has access to your systems in the first place, to keep out anyone who doesn’t belong, along with mechanisms for removing access and terminating sessions of those who don’t belong.
- Awareness and Training, which is human training about cybersecurity to prevent things like phishing attacks and unsafe practices.
- Audit and Accountability, which defines how you maintain records and logs, create incident reports, and comply with those triennial audits.
- Configuration Management, which focuses on maintaining security configuration settings like denylisting and allowlisting processes and restricting nonessential programs.
- Identification and Authentication, which focuses on confirming the identity of individuals when they authenticate into your system, such as using multi-factor authentication.
- Incident Response, which is the preparation, analysis, detection, recovery, containment, and user responses that occur when an incident happens.
- Maintenance, which is the set of processes such as wiping equipment removed from your network, as well as identity checks on the people who perform maintenance.
- Media Protection, which defines additional security, limitations, and protection against things like personal USB storage devices, and how in-house media should be marked.
- Personnel Security, which is the definitions surrounding background checks and screenings for employees who are brought on board, and the removal of permissions of those who are terminated or transferred away from your organization.
- Physical Protection, which defines protection, security, and access restrictions to the physical servers, document storage, and media for your organization.
- Risk assessment, which defines the routine self-assessments and vulnerability detection that need addressing routinely.
- Security Assessment, which is the same as risk assessment but for your overall company security.
- System and Communications Protection, which focuses on monitoring and protecting inbound and outbound communications from employees, such as encrypted communications channels.
- System and Information Integrity, which is about detecting, identifying, reporting, and correcting any flaws when they are noticed.
These are the domains that encapsulate the 110 controls required for Level 2; for the sake of brevity, we’re not digging specifically into the variations required of Level 3 compliance here.
Where POAMs Come In
For an article ostensibly about POAMs, we sure haven’t mentioned them much, have we? Well, this is where they come into play.
Those 110 controls are each assigned a point value of either 1, 3, or 5 points. The point value corresponds to how critical implementation of that specific control is to the overall security and compliance with CMMC.
Perfection is difficult to achieve, especially when you’re first developing security and implementing compliance to win a government contract. The DoD knows this, which is why a POAM can be used.
POAM stands for Plan of Action and Milestones. It’s essentially a document that says “we’ve met most of the requirements for CMMC certification; here are the ones we have not yet met, and how we plan to meet them within 180 days.”
- IF your organization meets at least 88 of the 110 required controls, and;
- IF the controls you do NOT meet are 1-point controls,
You can develop a POAM and submit it to your auditing C3PAO. The auditing entity can review the POAM and, if they deem it acceptable, can approve it.
Essentially, the DoD recognizes that compliance is a significant undertaking, and that defining, developing, and implementing every single NIST SP 800-171 control is a huge undertaking; many contractors are unable to actually meet all of the controls by the specific deadline required to apply and win a government contract. Since the alternative is disqualifying otherwise-excellent organizations for what amounts to minor technicalities, they allow POAMs to provide some leeway.
A POAM is NOT a way to skirt compliance or let small details slip. It’s a specific plan of action to implement and validate those controls that may not be quite implemented by the time the deadline rolls around. If the 180-day period of the POAM expires and you do not have all of the milestones met, your contract will be revoked.
POAMs are made up of seven components: the specific control it applies to, the individual person responsible for it in your organization, the planned actions that meet the control, the planned start and completion dates for that action, the actual actions taken, the milestones to meet along the way, and the current status of the plan. If any of this is missing, an auditor is likely to reject the POAM.
Government cybersecurity is a very detail-oriented system, and it needs to be to ensure the security of important information that could jeopardize national security in the wrong hands. As such, all of this, from the overarching frameworks to the specifics of a POAM, are taken seriously.
Critical to successfully navigating CMMC compliance is record-keeping and management of all of those critical details. Many SMBs and organizations rely on documentation via spreadsheets and scattered docs, but this is inefficient and prone to errors.
That’s where we come in. In addition to being a validated C3PAO, we’ve developed the Ignyte Platform to maintain a centralized, robust, and ongoing hub of records for every element of your CMMC compliance. From your overall system security plan to the specific details of your POAMs, we cover it all.
If you’re interested in seeing how it works, simply click here to get started, book a demo, and experience the value for yourself. If you have any questions, feel free to reach out; we’re always happy to help!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.