There are a lot of questions surrounding DFARS requirements and implementing a POA&M for DoD Contractors. What does it mean for your business? What happens now that I have a POA&M and SSP? (Still not compliant? Check out parts 1-5 of this series) To help guide you through the process, here are some questions and answers that you may need to know.
47. Can you describe the contents of a system security plan?
48. What guidance can you provide on how long a company has to implement the POA&M?
There is no hard and fast guidance. We have seen POA&Ms that are just a few weeks long for a company that is almost 100% technically compliant, to 18+ months for organizations who are just starting their technical compliance journey. The government has released no known direct guidance on this.
49. If the DFARS clause was not part of the original contract, does it now apply, or only apply to contracts with the 7012 clauses?
The DFARS clause only applies to contracts that have the actual clause in the contract. However, if you have a single contract with the clause, you must be compliant across the board.
50. For the POA&M, are only the open security controls to be shown?
It is a good idea to leave all closed POA&M actions in the document for reference as they are closed, but if you are just beginning the POA&M, then only those controls that are currently open need to be listed.
51. How does a small company maintain separation of duties with one IT/Admin person?
Typically, a small company would have either a company principal act in some of those roles or an outside IT service provider can assist in this way.
52. Does the DoD have a requirement to tell the contractor what CDI/CUI must be protected?
The Government should properly mark content according to the marking guidance. However, this does not always happen. Additionally, many contractors create CUI in the performance of the contract and this content must be properly marked and protected as well.
53. Do all 110 NIST 800-171 Security controls have to be in the POA&M?
The only controls that must be listed in the POA&M are those that are not fully satisfied within the SSP.