How to Create a Plan of Action & Milestones for NIST SP 800-171

According to the NIST glossary, a plan of action and milestones is “a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”

To meet NIST SP 800-171 requirements you must have a plan of action & milestones document. NIST SP 800-171 security control 3.12.2 reads “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.”

A plan of action and milestones document is generally created in the form of a spreadsheet. The document lists deficiencies in your organization’s security program. These can be deficiencies in the implementation of technical, administrative, and physical security controls. The POA&M describes the deficiencies and how they will be corrected. The POA&M also documents vulnerabilities and describes how they will be reduced or eliminated.

Using the applications available from Lake Ridge you can auto generate your plan of action & milestones document. To do this, you need to complete the assessment survey in the Compliance Accelerator app. After you complete the survey, the app will automatically generate your plan of action and milestones document. All you have to do is assign users and dates to the POA&M tasks.

Yes. You still need a POA&M to meet CMMC requirements if you are aiming to earn a CMMC above level two. CMMC practice CA.2.159 reads “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.”

It is not uncommon to hear consultants say that you need to complete all items on your POA&M to meet CMMC or NIST SP 800-171 requirements. This is only partially correct. To meet CMMC and NIST SP 800-171 requirements you obviously need to implement all of the associated requirements. The requirements you are not meeting are documented in your POA&M, these need to be completed to be fully compliant, however that does not mean that you will never use your POA&M again. Your POA&M is a living resource used to document vulnerabilities found when performing vulnerability scans, security assessments, and other reviews such as testing incident response plans and business continuity plans. Any deficiency you identify in your security program needs to be documented in your POA&M. It is impossible for an information system to ever be 100% secure and that is okay. What is important is demonstrating due care and due diligence by implementing your contractually mandated requirements.