32 C.F.R. § 170.21

Current through November 30, 2024
Section 170.21 - [Effective 12/16/2024] Plan of Action and Milestones requirements
(a)POA&M. For purposes of achieving a Conditional CMMC Status, an OSA is only permitted to have a POA&M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:
(1)Level 1 self-assessment. A POA&M is not permitted at any time for Level 1 self-assessments.
(2)Level 2 self-assessment and Level 2 certification assessment. An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:
(i) The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;
(ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and
(iii) None of the following security requirements are included in the POA&M:
(A) AC.L2-3.1.20 External Connections (CUI Data).
(B) AC.L2-3.1.22 Control Public Information (CUI Data).
(C) CA.L2-3.12.4 System Security Plan.
(D) PE.L2-3.10.3 Escort Visitors (CUI Data).
(E) PE.L2-3.10.4 Physical Access Logs (CUI Data).
(F) PE.L2-3.10.5 Manage Physical Access (CUI Data).
(3)Level 3 certification assessment. An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met:
(i) The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and
(ii) The POA&M does not include any of following security requirements:
(A) IR.L3-3.6.1e Security Operations Center.
(B) IR.L3-3.6.2e Cyber Incident Response Team.
(C) RA.L3-3.11.1e Threat-Informed Risk Assessment.
(D) RA.L3-3.11.6e Supply Chain Risk Response.
(E) RA.L3-3.11.7e Supply Chain Risk Plan.
(F) RA.L3-3.11.4e Security Solution Rationale.
(G) SI.L3-3.14.3e Specialized Asset Security.
(b)POA&M closeout assessment. A POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.
(1)Level 2 self-assessment. For a Level 2 self-assessment, the POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.
(2)Level 2 certification assessment. For Level 2 certification assessment, the POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.
(3)Level 3 certification assessment. For Level 3 certification assessment, DCMA DIBCAC will perform the POA&M closeout certification assessment.

32 C.F.R. §170.21

89 FR 83214 , 12/16/2024