top of page
  • Writer's pictureJoshua Duvall

#GovConThoughts: CMMC POA&Ms May Be Helpful, But Full Compliance Is Still Required

[My #govconthoughts series provides a quick take on recent developments in the government contracting space.]

I know some folks in the government contracting space were excited to learn that the Department of Defense's Cybersecurity Maturity Model Certification ("CMMC") proposed rule allows companies to use a plan of action and milestone ("POA&M") to meet the CMMC requirements. But don't let the use of a POA&M cloud your view of what the rule requires: full compliance. 

Yes, it is true that POA&Ms are permitted under CMMC Levels 2 and 3 (not 1). But even then, POA&Ms are only permitted under certain and limited circumstances. For example, to be eligible for a Level 2 POA&M, contractors must first obtain a minimum score of 88 out of 110 (.8), with the caveat that some of the cyber requirements must be met. Beyond that, contractors also are required to close-out the POA&M within 180 days of the initial assessment. 

Thus, with the minimum point threshold and short 180-day close-out window, the use of POA&Ms necessarily means that the contractor is getting close to the finish line in satisfying the CMMC requirements. Critically, if a POA&M is not timely closed out, the contractor's conditional status will expire, which may ultimately impact bidding opportunities.

So, while the proposed rule allows the defense industrial base to use POA&Ms in certain circumstances, full CMMC compliance should be your North Star.

. . .


Thanks for subscribing!

bottom of page