<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Tyler Thepsiri

By: Tyler Thepsiri on August 08, 2024

Print/Save as PDF

What Is A NIST 800-171 POAM (Plan Of Action & Milestones) & Key Steps.

Cybersecurity | Compliance

Are you a government contractor or subcontractor who needs to be NIST 800-171 compliant? Although NIST 800-171 has been around for several years, many business leaders still aren’t certain whether they are doing the right things to be compliant.

With the constant revisions to the NIST cybersecurity framework, you may be wondering if you are doing the right things to protect controlled unclassified information (CUI) in order to maintain your current government contracts or secure new ones in the future.

A key step in your journey to becoming NIST 800-171 compliant is to develop a robust Plan of Action and Milestones (POAM) to ensure your business is doing everything it can to protect CUI.

As an IT services provider, we are often asked about the requirements for creating a POAM to help with NIST certification.

In this article, we’ll walk you through everything you need to know about a POAM so you’ll have the information you need to ensure that your organization is in the best position to be NIST compliant—and we’ll do it without the technical language.

We work with companies of all sizes, including contractors, subcontractors, and suppliers working for the U.S. government. We’ve helped organizations just like yours through NIST 800-171 certification, so we know what’s involved and have extensive experience making sure you have a POAM that works.

After reading this article, whether you are a small business or a large enterprise, you will have a better understanding of what a POAM is, why it’s an important requirement for NIST 800-171 certification, and what are the key steps that you should include in your NIST POAM.

What Is NIST SP 800-171?

Let’s start from the top. More than 10 years ago, the National Institute of Standards and Technology  (NIST) issued a special publication known as NIST 800-171 or NIST SP 800-171.

NIST 800-171 outlines essential security requirements and provides a cybersecurity framework for organizations to follow to protect controlled unclassified information (CUI) if they work with the sensitive government data.

What Is CUI?

A lot of business leaders are still confused about what CUI is. Let’s clear this up without the technical jargon.

CUI is essentially government data that is unclassified but still considered confidential and therefore needs safeguarding. You can think of it as data that doesn’t fall under the traditional classified or top-secret categories but is still important and needs protecting.

Examples include design diagrams, internal government reports, technical data and drawings for parts to be made specifically for products to be provided to the federal government, or personally identifiable information (PII) used in the performance of federal government contracts.

Protecting CUI is important because it allows only authorized individuals to access this information and ensures it doesn’t fall into the wrong hands.


Related article: Exploring CUI and FCI: How IT Tools Help Keep Sensitive Data Safe


What Is A POAM?

Now that you know what NIST 800-171 is and what CUI is without the technical language, let’s discuss the role NIST compliance plays in protecting CUI and allowing you to maintain your current contracts or secure new ones in the future if you work with the DoD.

A key step in achieving NIST 800-171 compliance is having a POAM. You can think of a POAM as a strategic roadmap that outlines specific steps that need to be completed and what you need to do in order to complete them.

A NIST 800-171 POAM essentially identifies the tasks that your organization needs to complete to address certain cybersecurity gaps required for NIST compliance. It breaks them into manageable chunks, and sets out milestones and a timeline to keep everything on track.

More importantly, it helps you track your progress toward compliance with the cybersecurity controls outlined in the NIST cybersecurity framework.

Why Does NIST 800-171 Require A POAM?

The NIST 800-171 POAM requirements help ensure that organizations that work on government contracts undertake appropriate steps to protect sensitive but unclassified information.

The government realizes that its suppliers are not likely technology and cybersecurity experts. That’s why the NIST 800-171 certification process is in place: to ensure that sensitive physical, technical, or administrative information handled to fulfill contractual obligations is protected.

The POAM requirement holds organizations accountable for accessing or storing sensitive information as part of their work on government contracts. NIST 800-171 compliance allows you to retain your current contracts and ensures you can continue competing for future ones.

Developing your Plan of Action & Milestones (POAM)

You now understand what a POAM is and why it’s essential to help you achieve NIST 800-171 compliance.

Your NIST 800-171 POAM is essentially a high-level project plan with the basics of what is missing, a general plan of action, and when to expect achievement. It is a slimmed-down plan without many of the common components of a full-fledged project plan.

However, it also provides general guidance for your IT team (internal or external) and demonstrates your commitment to resolving any gaps that may exist in your organization’s security framework today.

The POAM should be based on a prioritized list of the controls that need to be addressed. The considerations for prioritization include how much of the NIST framework each action can remedy, along with budget, resources, and timelines.

As you review the NIST 800-171 controls, you will get a clear picture of the work ahead to develop your POAM.

7 Key Steps You Need in Your NIST 800-171 POAM

While every organization is different and has unique needs, here are the steps we believe should be addressed in your POAM. You can think of the steps below as a NIST POAM example or template you can follow.

1. Conduct a Thorough Risk Assessment

Start by conducting a detailed risk assessment to identify vulnerabilities within your IT environment and infrastructure. Use tools like vulnerability scans and penetration testing to identify potential cybersecurity risks.

Once you have identified these risks, prioritize them and align them with the matching NIST 800-171 controls to protect your data from cybercriminals.

2. Define Clear Goals and Objectives

Create measurable compliance goals and clearly outline what you want the outcomes for your POAM to be. Making sure you have specific goals and objectives helps ensure that each goal in your POAM is aligned with the NIST 800-171/CMMC Level 2 controls relevant to your organization.

3. Develop a Detailed Project Timeline

Have a realistic timeline that includes milestones and deadlines for each phase of your POAM. Your timeline should clearly list the start and completion dates for actions planned to meet the NIST 800-171 controls that apply to your organization the most.

A detailed timeline will help you track your progress and keep your NIST 800-171 compliance journey moving forward.

4. Assign Roles and Responsibilities

Clearly define and assign roles and responsibilities for each task within your POAM. This means you must identify the point of contact (POC) responsible for each action within your POAM. By doing this, you ensure you hold members of your organization accountable for moving your compliance project along.

In the long run, this will help you stay on course and get help if and when you need it, preventing delays and ensuring smooth progression through each stage of your timeline.

5. Allocate Necessary Resources

Make sure you have a clearly defined budget and the right resources allocated to help you execute the steps within your POAM.

6. Establish Milestones You Need to Meet

Set milestones for each phase to measure the progress and effectiveness of your POAM. Document the current status and what you have done to meet each NIST 800-171 control required for your organization.

7. Regularly Monitor and Review

We have often said that compliance is not a “set it and forget it” process. It’s important to continuously monitor and assess your POAM to ensure it’s as efficient and effective as possible.

With new NIST 800-171 revisions and updates to security controls, make sure you make the necessary adjustments to keep your security measures and IT environment up-to-date and stay compliant.

Don’t forget to document any changes and update your POAM when you make them.

You now have an example of a NIST POAM template that you can follow to help your organization on its compliance journey.

It’s important to note that while we have found that most organizations can successfully utilize this template to create an effective and efficient NIST 800-171 POAM, your organization may need to tweak finer details depending on its specific needs and how quickly you need to become NIST compliant.

What’s The Bottom Line?

As you begin the process of developing your POAM, it will likely become clear whether you have the internal resources you need or whether you’d benefit from collaborating with an external IT service provider.

Only you can decide if you have the internal resources you need for success. Our experience has shown that companies that are successful at developing a POAM using internal staff typically have the following characteristics:

  • a large enough internal IT team that several of them can pull away for an extended period to hyper-focus on the POAM without impacting your internal IT support needs and
  • certified cybersecurity experts on staff who have prior cybersecurity compliance experience.

If your company doesn’t fit the above criteria, working with an outside consultant may offer advantages by avoiding common mistakes that could compound the time and cost involved in reaching compliance.

If you decide to explore options for external IT support, we encourage you to compare several providers so that you find one that is the right fit for your organization. We take this advice so seriously that we’ve even done some of the legwork for you.

See for yourself how Kelser and one of our competitors (Charles IT) compare based on publicly available information from the websites of both organizations. We know it’s different that we offer head-to-head comparisons, but the truth is that each organization has strengths.

Be wary of any external provider that comes in assuming they know what’s best for you without even having a conversation about your business, your goals, and your current technology pain points.

While there is a commitment of time, energy, and resources involved in developing a POAM, the value delivered is worth the investment. Your organization will have a clear plan of action upon which to base budgets and resource allocation.

It can also get you back to working on what you do for the Defense Supply Chain rather than laboring towards being able to work with them again.

Additionally, compliance with the controls in NIST SP 800-171 is a stepping stone. The DoD’s Cybersecurity Maturity Model (CMMC), based on NIST 800-171, is the next step in certification.

Kelser has helped businesses like yours become compliant with a number of standards and frameworks (NIST, CMMC, HIPAA) over the years. Our staff knows what you're going through and how to get you to your goal of compliance.

Use the button below to start a conversation with us about any questions you have about NIST 800-171 or CMMC certification or other compliance topics.

Talk with a Human

 

About Tyler Thepsiri

With more than 10 years in the IT industry, Tyler is able to adapt quickly to almost any technological issue. He understands how systems should work, and specializes in security and compliance.

Suggested Posts

Visit Our Learning Center