Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical document that outlines the specific actions a contractor needs to take to remediate cybersecurity deficiencies. While POAs serve as a roadmap for achieving compliance with required controls, the inclusion of certain elements is standardized.
Key Elements of a Plan of Action (POA)
According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC requirements, a POA typically includes:
Completion Dates: Identifies target deadlines for resolving deficiencies.
Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored over time.
Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel or teams.
What is Generally NOT Part of a POA?
Budget requirements to implement the plan's remediation actions (Option D) are generally not included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of the broaderproject management or resource planning process, not the POA itself. This distinction is intentional to keep the POA focused on actionable items rather than resource allocation.
Supporting Reference
NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the prioritization of corrective actions, responsibility, and measurable outcomes.
CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions, timelines, and accountability rather than financial planning.
By excluding budget details, the POA remains a tactical document that supports immediate action and compliance tracking, separate from financial considerations.
