§ 170.21. Plan of Action and Milestones requirements.
461 words·~2 min read·
/us/cfr/t32/s§ 170.21·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
(a)POA For purposes of achieving a Conditional CMMC Status, an OSA is only permitted to have a POA for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:
(1)Level 1 self-assessment. A POA is not permitted at any time for Level 1 self-assessments.
(2)Level 2 self-assessment and Level 2 certification assessment. An OSA is only permitted to achieve the CMMC Status of Conditional Level 2
(Self)or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:
(i)The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;
(ii)None of the security requirements included in the POA have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and
(iii)None of the following security requirements are included in the POA
(A)AC.L2-3.1.20 External Connections (CUI Data).
(B)AC.L2-3.1.22 Control Public Information (CUI Data).
(C)CA.L2-3.12.4 System Security Plan.
(D)PE.L2-3.10.3 Escort Visitors (CUI Data).
(E)PE.L2-3.10.4 Physical Access Logs (CUI Data).
(F)PE.L2-3.10.5 Manage Physical Access (CUI Data).
(3)Level 3 certification assessment. An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met:
(i)The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and
(ii)The POA does not include any of following security requirements:
(A)IR.L3-3.6.1e Security Operations Center.
(B)IR.L3-3.6.2e Cyber Incident Response Team.
(C)RA.L3-3.11.1e Threat-Informed Risk Assessment.
(D)RA.L3-3.11.6e Supply Chain Risk Response.
(E)RA.L3-3.11.7e Supply Chain Risk Plan.
(F)RA.L3-3.11.4e Security Solution Rationale.
(G)SI.L3-3.14.3e Specialized Asset Security.
(b)POA closeout assessment. A POA closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA in the initial assessment. The closing of a POA must be confirmed by a POA closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.
(1)Level 2 self-assessment. For a Level 2 self-assessment, the POA closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.
(2)Level 2 certification assessment. For Level 2 certification assessment, the POA closeout certification assessment must be performed by an authorized or accredited C3PAO.
(3)Level 3 certification assessment. For Level 3 certification assessment, DCMA DIBCAC will perform the POA closeout certification assessment.
Connections12 cite this
Cited by 12 sections · top 3
Citation graph
cites case law
§ 170.21
Plan of Action and Milestones requirements.
Fed. Reg.×12
Cites 0Cited by 12 across 1 source