<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Tyler Thepsiri

By: Tyler Thepsiri on April 05, 2024

Print/Save as PDF

What Is A NIST 800-171 POAM (Plan Of Action & Milestones)?

Cybersecurity | Compliance

Although NIST 800-171 has been around for several years, many business leaders still aren’t certain whether they are doing the right things to be compliant.

As an IT services provider, we are often asked about NIST certification and specifically about the requirement for a Plan of Action & Milestones (POAM).

In this article, we’ll walk you through everything you need to know about a POAM, so you’ll have all the information you need to ensure that your organization is compliant with this NIST 800-171 requirement. And we’ll do it without a lot of technical jargon.

We work with companies of all sizes, including contractors, subcontractors, and suppliers working for the U.S. government. We’ve helped organizations just like yours through NIST 800-171 certification, so we know what’s involved and have lots of experience with POAMs.

After reading through this article, you’ll have a better understanding of what a POAM is, why it is an important requirement for NIST 800-171 certification, and what should be included in a POAM.

What Is NIST SP 800-171?

Let’s start at the top.

More than 10 years ago, the National Institute of Standards and Technology (NIST) issued a special publication (known as NIST 800-171 or NIST SP 800-171) to help ensure that organizations working on government contracts protect unclassified but sensitive government data.

Known as controlled unclassified information (CUI), NIST 800-171 provides a framework for protecting this specific kind of information.

          What Is CUI?

CUI is unclassified information owned by or created for the government that is required to be safeguarded according to law, regulation or policy.

Related article: Exploring CUI and FCI: How IT Tools Help Keep Sensitive Data Safe

What Is A POAM?

A NIST POAM is a roadmap of sorts. It identifies tasks that need to be accomplished and then what's required to achieve them. It breaks the tasks into manageable chunks and sets out milestones and a timeline to keep everything on track.

More importantly, it tracks your progress toward compliance with the cybersecurity controls outlined in NIST 800-171.

Why Does NIST 800-171 Require A POAM?

The NIST 800-171 POAM requirements help ensure that organizations that work on government contracts undertake appropriate steps to protect sensitive but unclassified information.

The government realizes that its suppliers are not likely technology and cybersecurity experts. That’s why the NIST 800-171 certification process is in place; to ensure that sensitive physical, technical, or administrative information handled to fulfill contractual obligations is protected.

The POAM requirement holds organizations accountable that access or store sensitive information as part of their work on government contracts.

NIST 800-171 compliance allows you to retain your current contracts and ensures you can continue competing for future ones.

Developing your Plan of Action & Milestones (POAM)

Your NIST 800-171 POAM is essentially a high-level project plan with the basics of what is missing, a general plan of action, and when to expect achievement. It is a slimmed-down plan without lots of the common components of a full-fledged project plan.

However, it provides general guidance for your IT team (internal or external). It also demonstrates your commitment to resolving gaps that exist in your organization’s security framework today.

The POAM should be based on a prioritized list of the controls that need to be addressed. The considerations for prioritization include how much of the NIST framework each action can remedy along with budget, resources, and timelines.

As you review the NIST 800-171 controls, you will get a clear picture of the work ahead to develop your POAM.

What’s The Bottom Line?

As you begin the process of developing your POAM, it will likely become clear whether you have the internal resources you need or whether you’d benefit from collaborating with an external IT service provider.

Only you can decide if you have the internal resources you need for success. Our experience has shown that companies that are successful at developing a POAM using internal staff typically have the following characteristics:

  • a large enough internal IT team that several of them can pull away for an extended period to hyper-focus on the POAM without impacting your internal IT support needs and
  • certified cybersecurity experts on staff who have prior cybersecurity compliance experience.

If your company doesn’t fit the above criteria, working with an outside consultant may offer advantages by avoiding common mistakes that could compound the time and cost involved in reaching compliance.

If you decide to explore options for external IT support, we encourage you to compare several providers so that you find one that is the right fit for your organization. We take this advice so seriously that we’ve even done some of the legwork for you.

See for yourself how Kelser and one of our competitors (IT Direct) compare based on publicly available information from the websites of both organizations. We know it’s different that we offer head-to-head comparisons, but the truth is that each organization has strengths.

Be wary of any external provider that comes in assuming they know what’s best for you without even having a conversation about your business, your goals, and your current technology pain points.

While there is a commitment of time, energy, and resources involved in developing a POAM, the value delivered is worth the investment. Your organization will have a clear plan of action upon which to base budgets and resource allocation.

It can also get you back to working on what you do for the Defense Supply Chain rather than laboring towards being able to work with them again.

Additionally, compliance with the controls in NIST SP 800-171 is a stepping stone. The DoD’s Cybersecurity Maturity Model (CMMC), based on NIST 800-171, is the next step in certification.

Kelser has helped businesses like yours become compliant with a number of standards and frameworks (NIST, CMMC, HIPAA) over the years. Our staff knows what you're going through and how to get you to your goal of compliance.

Use the button below to start a conversation with us about any questions you have about NIST 800-171 or CMMC certification or other compliance topics.

Talk with a Human


About Tyler Thepsiri

With more than 10 years in the IT industry, Tyler is able to adapt quickly to almost any technological issue. He understands how systems should work, and specializes in security and compliance.

Suggested Posts

Visit Our Learning Center