Compliance with NIST 800-171 is a contractual obligation for organizations that process Controlled Unclassified Information (CUI) on behalf of the US government. Contractors, research institutions, and service providers are just some examples of organizations that may need to comply. For Department of Defense (DoD) contractors that must comply with NIST 800-171, a System Security Plan (SSP) and a Plan of Action with Milestones (POAM) are key documents that evidence compliance and key steps and timelines towards becoming fully compliant with NIST 800-171.
NIST 800-171 ultimately helps to improve the security of sensitive information on non-federal IT systems. Organizations can ascertain compliance through a process of self-assessment. However, the DoD is now asking its contractors who handle CUI on their networks to assess and submit compliance performance with NIST 800-171 as part of the acquisition process. When a contractor records that it is not fully compliant with NIST 800-171, it is expected to submit a POAM, outlining the required steps to mitigate these issues and achieve full compliance.
In this guide, we’ll discuss the POAM, what it consists of, and which organizations need to create one. We’ll also explore Titania Nipper, an auditing tool that helps streamline the self-assessment process and the preparation of a POAM.
What is a Plan of Action with Milestones?
A POAM is a remedial document that identifies the tasks required for an organization to achieve a goal, in this case NIST 800-171 compliance. It can be viewed as the final push to become fully compliant. It outlines the steps an organization will need to take to fix any vulnerabilities highlighted by the self-assessment process. By definition, organizations that need to produce a POAM will not yet be fully compliant.
There are 110 requirements outlined by NIST 800-171. Non-compliance, weaknesses, or vulnerabilities may be highlighted as organizations audit their systems and procedures against these requirements.
As the name suggests, the POAM also contains key milestones and dates which set a timeline for resolving vulnerabilities and achieving compliance. The POAM will usually need to be completed before the contract begins.
Who needs a NIST 800-171 Plan of Action?
Organizations that process or store CUI on behalf of the government must be fully compliant with NIST 800-171. Examples may include research institutes and labs that receive government funding, government contractors, or financial and communication service providers. However, currently, only defense contractors who handle CUI are required to record their NIST 800-171 compliance performance with the US government – in this case, with the Department of Defense.
Following an audit, defense contractors must submit their NIST 800-171 compliance scores into the Supplier Performance Risk System (SPRS) portal. Scores are calculated using a weighted points-based system, with contractors gaining one point for every requirement that they comply with, up to a maximum of 110 points, but penalty points are deducted for each area of non or partial compliance. These penalty points are weighted from one to five depending on the requirement.
Any organizations handing CUI on their networks that don’t meet the NIST 800-171 requirements will need to create and submit a POAM in advance of a contract award. A POAM is, therefore, a key document for defense contractors to prove commitment to and steps required to achieve compliance with NIST 800-171. It’s important because it shows the contracting government agency (e.g. the DoD) that security vulnerabilities have been identified and a plan is in place to remediate those issues, ensuring that sensitive federal information will be appropriately protected.
The DoD may still award contracts to organizations that are not fully compliant – i.e. register scores below 110 points – but they will scrutinize the POAM to ensure the appropriate steps and timelines are in place for the contractor to achieve full NIST 800-171 compliance.
An auditing tool like Titania Nipper can help to automate the process of counting points to support an SPRS assessment. Nipper can automate the assessment of 31 NIST 800-171 requirements, enabling a contractor to evidence 31 SPRS points, which have a total weighted penalty value of 113 points, 28% of the total points needed for compliance.
What’s in the Plan of Action with Milestones?
The POAM is submitted alongside or as part of the System Security Plan (SSP) document, which provides a comprehensive overview of an organization’s IT network, including hardware and software, as well as security processes and policies. The SSP can be filled out with a template provided by the contracting government agency or NIST, though there is no official format for a NIST 800-171 SSP.
As we’ve already discussed, the POAM element deals with areas of non-compliance. It identifies the tasks that need to be completed, the resources required, and a project timeline including milestones.
A POAM will contain the following information:
- The area(s) of non-compliance with NIST 800-171, outlining the weakness or vulnerability.
- The area(s) of the organization responsible for the system or network vulnerability.
- The resources or funding needed to solve the vulnerability.
- Key project milestones with individual deadline dates.
- The final date for becoming compliant.
- The status of the improvement project.
Once an organization has completed the steps outlined in its POAM, it will be compliant with NIST 800-171. Organizations can then retest and amend their SSP document and update their scores in SPRS to 110 points.
Who do you submit a NIST 800-171 Plan of Action to?
As compliance with NIST 800-171 is a contractual obligation for all government contractors who handle CUI, for defense contractors who have to prove their compliance, the POAM must be submitted into SPRS before contract award or renewal along with an SSP and a compliance score.
Prime contractors, who bear responsibility for the NIST 800-171 compliance of their supply chain, may also request visibility of a POAM from their subcontractors.
What tools can I use to help write my Plan of Action?
The process of assessing compliance with the different NIST 800-171 requirements can be resource-intensive and time-consuming. Titania Nipper is an auditing tool that will help streamline the assessment core network devices for compliance with NIST 800-171. Nipper can save auditors up to three hours per device audit by automating the process. Nipper’s efficient, accurate auditing capabilities are important for producing a true picture of the actual versus the desired state of a network.
Nipper can automate the assessment of 89% of NIST 800-171 requirements related to routers, switches, and firewalls, highlighting network vulnerabilities and non-compliance. Where possible, Nipper will inform users of appropriate actions required to remediate discovered issues, including the amount of time and resource required, which can be invaluable when preparing a POAM. You can download the NIST 800-171 Mapping Document to understand how Nipper can support the journey towards compliance and which core network device requirements it can automate. To discover how Titania Nipper can help you prepare your Plan of Action with Milestones, book a free demo with a member of our team today.