Current through November 30, 2024
Section 170.21 - [Effective 12/16/2024] Plan of Action and Milestones requirements(a)POA&M. For purposes of achieving a Conditional CMMC Status, an OSA is only permitted to have a POA&M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:(1)Level 1 self-assessment. A POA&M is not permitted at any time for Level 1 self-assessments.(2)Level 2 self-assessment and Level 2 certification assessment. An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:(i) The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;(ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and(iii) None of the following security requirements are included in the POA&M: (A) AC.L2-3.1.20 External Connections (CUI Data).(B) AC.L2-3.1.22 Control Public Information (CUI Data).(C) CA.L2-3.12.4 System Security Plan.(D) PE.L2-3.10.3 Escort Visitors (CUI Data).(E) PE.L2-3.10.4 Physical Access Logs (CUI Data).(F) PE.L2-3.10.5 Manage Physical Access (CUI Data).(3)Level 3 certification assessment. An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met: (i) The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and(ii) The POA&M does not include any of following security requirements: (A) IR.L3-3.6.1e Security Operations Center.(B) IR.L3-3.6.2e Cyber Incident Response Team.(C) RA.L3-3.11.1e Threat-Informed Risk Assessment.(D) RA.L3-3.11.6e Supply Chain Risk Response.(E) RA.L3-3.11.7e Supply Chain Risk Plan.(F) RA.L3-3.11.4e Security Solution Rationale.(G) SI.L3-3.14.3e Specialized Asset Security.(b)POA&M closeout assessment. A POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire. (1)Level 2 self-assessment. For a Level 2 self-assessment, the POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.(2)Level 2 certification assessment. For Level 2 certification assessment, the POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.(3)Level 3 certification assessment. For Level 3 certification assessment, DCMA DIBCAC will perform the POA&M closeout certification assessment.