The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework defines a conditional certification status at Levels 2 and 3, which is valid for up to 180 days. To move from conditional to final CMMC certification, a company must close out all nonconformities identified in its Plans of Action and Milestones (POA&Ms).

The purpose of conditional CMMC certification is to allow defense industrial base (DIB) contractors to quickly close non-critical cybersecurity gaps and advance toward final certification while remaining eligible to participate in US Department of War (DoW) contracts. But its many limitations and significant risks make conditional status a poor lifeline for orgs struggling to achieve compliance.

How does CMMC conditional certification work and could your business benefit from strategically leveraging conditional status? This article covers all the key factors to help you plan your CMMC compliance and certification roadmap.

Key takeaways

• CMMC conditional certification status is valid for 180 days only. All nonconformities must be addressed within that timeframe.
• Failure to address deficiencies within 180 days leads to revocation of conditional certification and ineligibility for contract participation, along with possible sanctions.
• Only specific “non-critical” CMMC controls can be remediated during the conditional certification period.
• To be eligible for conditional CMMC Level 2 certification, a company must meet 80% or more of the compliance goal (88 or more points out of 110).
• Conditional CMMC certification should be viewed as a planned opportunity to spread out costs and effort while efficiently addressing a few remaining non-critical compliance gaps—not as a way to buy time for a faltering CMMC program.

What are the requirements for CMMC conditional certification?

CMMC conditional certification is a time-limited authorization that lets DIB orgs participate in DoW contracts at while remediating minor compliance gaps. Requirements for CMMC conditional status include:

• CMMC conditional certification status is valid for only 180 days. All POA&M issues must be verifiably addressed within that timeframe.
• If a contractor fails to mitigate all identified deficiencies within 180 days, their conditional certification status expires—making them ineligible for contracts. This is a major risk for DIB orgs.
• Only CMMC Level 2 or Level 3 certification levels are eligible for conditional certification. CMMC Level 1 requires full compliance at audit time.
• To be awarded conditional CMMC Level 2 certification a business must meet 80% or more of the compliance goal; that is, 88 or more points out of a possible 110 for full compliance with the 110 controls defined in NIST SP 800-171 Rev. 2.
• To achieve CMMC Level 3 conditional certification, in addition to full Level 2 compliance a business must meet 80% (19 points) of the additional 24 controls defined in NIST SP 800-172 to counter advanced persistent threats (APTs).
• Only certain non-critical controls can be included in a CMMC POA&M.

What is a CMMC POA&M?

In the US government’s Code of Federal Regulations (CFR) 32, a POA&M is defined as “A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones, as defined in NIST SP 800–115.”

POA&Ms within CMMC are intended to smooth the compliance and contract award process, not delay compliance. POA&Ms must embody a clear, achievable commitment to promptly resolve non-critical cybersecurity gaps. As an integral part of how an OSC represents its cybersecurity posture in the marketplace, POA&Ms are a legal and contractual commitment to achieve CMMC compliance within a time-limited period.

Per the CMMC Final Rule, each POA&M must include the following information to be approved by a CMMC Third-Party Assessment Organization (C3PAO) or as part of a self-assessment:

• Details on the unmet control and the nature of the shortcoming
• Start and completion dates plus milestone dates
• The party assigned responsibility for POA&M resolution
• Planned steps to correctly implement the control
• Current remediation status including actions taken to date

C3PAOs need to know specific POA&M remediation plans and status showing active progress in step with the plan. Failure to show progress could derail contract participation and possibly even lead to sanctions.

CMMC mandates that OSCs have 180 days from the date of their conditional certification to close out all POA&Ms. Firms can close out their own POA&Ms if they were created during a self-assessment. Vulnerabilities identified by a C3PAO or government assessor during a Level 2 certification audit must be closed out with a follow-up assessment by that same third party. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) must close out all Level 3 conditional certifications and associated POA&Ms.

Table 1 lists POA&M requirements at the three CMMC levels.

What controls are eligible for inclusion in CMMC Level 2 POA&Ms?

CMMC Level 2 compliance is evaluated using a points-based system. Each of the 110 controls in NIST SP 800-171 is given a criticality value of 1, 3, or 5 points:

• 1 point for non-critical or low-impact controls (e.g., using firewalls to manage access to controlled unclassified information (CUI) assets).
• 3 points for “moderate” impact controls (e.g., using FIPS-validated encryption for CUI).
• 5 points for critical controls (e.g., multifactor authentication (MFA) for systems that handle CUI).

An organization seeking certification (OSC) at CMMC Level 2 starts out with 110 compliance points. The compliance scoring is subtractive, with each control being worth 1 point.

An 80% score (88 points minimum) with only approved 1-point controls missing is required for conditional certification and remediation through POA&Ms. Failing any 3- or 5-point critical control implementation (with one exception) automatically causes a failed audit even if your total compliance score is high.

Some of the 1-point controls that cannot be implemented through POA&Ms include:

• AC.L2-3.1.20 (External Connections)
• AC.L2-3.1.22 (Control Public Information)
• CA.L2-3.12.4 (System Security Plan)
• PE.L2-3.10.3 (Escort Visitors)
• PE.L2-3.10.4 (Physical Access Logs)
• PE.L2-3.10.5 (Manage Physical Access)

For example, a supplier that complies with 99 out of 110 CMMC Level 2 controls during a C3PAO audit could create detailed POA&Ms for the remaining 11 1-point controls, assuming all are eligible. Upon being awarded conditional CMMC compliance they would have 180 days to remediate and document successful implementation of all 11 controls, while conditionally participating in DoW contracts. If a follow-up audit confirms that all POA&M items are mitigated, the company would be awarded final CMMC Level 2 certification status, good for three years.

Is conditional CMMC certification a good strategy for my business?

For organizations that are on track for compliance but could benefit from some extra time, conditional CMMC certification can be a temporary solution to spread out efforts and expenses while rapidly closing non-critical gaps. Conditional CMMC certification is a viable, safe option only if your business can:

• Accurately identify all compliance gaps.
• Prioritize, document, and implement all “critical” 5-, 3-, and 1-point controls not eligible for POA&Ms before your CMMC Level 2 certification audit.
• Commit to detailed POA&Ms and successfully execute on all of them within 180 days of conditional certification award.

Documentation to validate consistent, compliant control operation is as important for CMMC certification—especially conditional certification—as the controls themselves. Record your progress carefully so you can prove to auditors that your cybersecurity posture is CMMC compliant at your chosen level. This is key to expedite final certification status.

If you plan to leverage consulting support, engage with a trusted partner before or immediately after being awarded conditional certification to ensure follow-through on your final certification plan. Failure to remit agreed POA&Ms will result in loss of conditional certification and potentially loss of contracts.

Best practices to support a conditional CMMC certification strategy

With CMMC clauses now appearing in DoW solicitations and prime contractors looking for subcontractors that can demonstrate CMMC Level 2 compliance, DIB orgs that plan to stay in the game must be moving steadily towards CMMC certification in line with a solid plan.

If POA&Ms are part of your plan, then success will depend on managing them effectively. Essential steps include:

• Make sure you have a discrete, detailed mitigation plan for each compliance item.
• Use a risk-based approach to prioritize your mitigation steps.
• Don’t neglect the potential need for temporary controls for urgent vulnerabilities with longer implementation timelines.
• Schedule frequent, specific milestones along your 180-day remediation timeline.
• Set and perform frequent (e.g., bi-weekly or weekly) check-ins to review progress toward defined milestones.
• Keep your system security plan (SSP)—the heart of your CMMC program—in lock-step with your POA&M implementation progress, so auditors can visualize the gap between your current cybersecurity posture and CMMC compliance.
• Stay up to date with all evidence of control operation and other documentation so you are not scrambling as your closeout audit approaches. Auditors will appreciate documentation that is complete, well organized, and easy to access.

Project management or compliance software can be useful for businesses that are remediating multiple POA&M items. Tools can help automate repetitive steps, simplify tracking and accountability, and reduce the risk of surprises at audit time.

Next steps

For organizations looking to establish and maintain CMMC compliance, CBIZ Pivot Point Security offers a one-stop solution. With thousands of successful cybersecurity compliance engagements spanning twenty-plus years in the industry, we offer a full range of CMMC services, including:

• Expert support to ensure optimal and timely POA&M implementation.
• Help with accurately assessing your current CMMC compliance status, no matter where you are in the certification process.
• Ongoing CMMC compliance monitoring and management of your operational controls, including evidence collecting, testing, and documentation.
• Independent support and validation for your self-attested CMMC Level 2 compliance and senior official signoff in years two and three of your recertification cycle.
• Strategic and/or tactical guidance to update controls and compliance artifacts when changes occur in your CMMC scope or SSP.
• CMMC training that transforms your team into your strongest compliance asset and identifies ways to optimize new processes and responsibilities.

As your trusted partner on your CMMC certification journey, CBIZ Pivot Point Security offers a 100% satisfaction guarantee.

Contact us today to schedule a consultation with a CMMC expert to discuss your current cybersecurity program and what it will take to help you achieve compliance now.