Phase 2 of the NIST SP 800-171/CMMC Consulting methodology is Plan & Design. Deliverables include the required POA&M.
Peak InfoSec's NIST SP 800-171 & CMMC Consulting Methodology Phase 2: Design & Plan

Consulting Phase 2: Design & Plan

After completing Consulting Phase 1: Gap Assessment, we enter Phase 2, Design & Plan.  The goals of this phase are to design the to-be architecture for how your organization will safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI); and, to build the Plan of Actions & Milestones (POA&M) to fulfill NIST SP 800-171 Security Requirements.

Step 1: Design

In the Design step, we work with your staff to translate our recommended remediations from the previous phase into tangible choices and technical answers.

Unlike other firms, we leave our recommendations generic on purpose.  Foremost, we are not resellers of anything and want no kickbacks.  We know it sounds corny, but your trust is worth more than a few bucks we could make.  Secondly, we want to leverage as much as you already have in your portfolio.  Lastly, when we do need to help you acquire a tool or service, we will always give you preferred vendors we have used to meet the needs you face.

The output of the Design step is to establish your to-be or target architecture we are driving to.  Like a road trip, you have to know where you are (Phase 1) and know where you are going (Design step) in order to figure out how to get you there (Plan step).

Step 2: Plan

For some organizations, the output of this step, a POA&M, is the first time they have MET 3.12.2, “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.”

Plan Step a:  Fill-in “One-Day” Gantt Chart

Over the past 7 years of helping organizations remediate deficiencies, we have developed a templated POA&M using a standard Gantt chart.  We start from that template, and rough out the overall timing and sequence of the remediations needed to add the “actions” and “milestones” in POA&M.

We then work with your organization to see if this timeline is achievable and in line with your vision.

Plan Step b: Resource the Project Plan

This is the step where we lose clients because of the CMMC Seven Stages of Grief.  Organizations start getting overwhelmed with the work in front of them, costs, and man hours involved.  This leads to avoidance, bargaining, and denial.

We have to pull clients back from despair and break this down over time so it can be budgeted and planned for.

WARNING:  Pushing this off is not a winning strategy.  It invariably will cost your organization more money.  For more info on this, go watch As the CMMC Churns: Good, Fast, or Cheap. Pick one, Punk!

Plan Step c: Finalize Timing

Many times, in the Plan Step, we start here to get the Big, Hairy Audacious Goal (BHAG) of when does your organization want to get certified by?

Knowing your CMMC BHAG, we loop that back into the final milestone in building out your Gantt chart and helping you to gauge resourcing.  We also use the CMMC BHAG to help organizations step away from the CMMC Seven Stages of Grief when they get overwhelmed.

Once this step is finalized, we now have your organization’s POA&M.

Plan Step d: Manage POA&M Revisions

“No plan survives first contact with the enemy.”
Prussian Field Marshal Helmuth von Moltke the Elder and Prussian General Carl von Clausewitz

POA&Ms, likewise, do not survive the first steps of executing them in the Remediation Phase.

The entire point of this step is to update, adjust, remove, and even add new POA&M items as remediation progresses.  Your POA&M, like your System Security Plan (SSP), is a living artifact that should be continuously updated.

Consulting Phase 2: Design & Plan Deliverables

The following deliverables are provided in this Phase:

  • To-Be Architecture:  As a combination of scoping, network, and supplemental architecture diagrams, we create the draft artifacts that will end up in your revised SSP.
  • Plan of Action & Milestones (POA&M):  We can provide your organization the POA&M that as finalized in various forms for tracking and working.  Interestingly, we have seen many organizations adopt Microsoft Planner to work their POA&M.
  • System Security Plan (SSP):  If your organization doesn’t have an SSP, we start you off with our SSP template and fill in enough to make your organization “eligible” for DoD work prior to the CMMC rule going into full effect.
  • NIST SP 800-171 Assessment Score + POA&M ECD → Submit SPRS Score:  For some organizations who have never scored themselves and had a SSP, this is the first time they can accurately submit their SPRS score.  If they have never done that, we work with them to guide them through the process.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

An Authorized CMMC 3rd Party Assessment Organization (C3PAO)