puzzle peices that say control strategy security regulation rules policies and guidelines

How to Compile a Plan of Action and Milestones

You must create a Plan of Action and Milestones to become NIST 800-171 compliant.

If your business contracts or subcontracts with the Federal Government, you may have heard about the new NIST 800-171 compliance regulations. One of the key documents you need to compile for upcoming contract awards is known as a Plan of Action with Milestones. While your Plan of Action with Milestones needs to be thorough, it’s less complicated then you might think to assemble.

What do you have to include in your Plan of Action and Milestones?

The NIST 800-117 security standards include 110 requirements which you need to consider in relation to your business. Not every requirement may apply to you, but for those that do, you need to assess whether your business meets them or not. For any requirements that your business does not meet, your Plan of Action and Milestones needs to outline how and when you plan to meet these requirements.

While NIST 800-171 doesn’t specify a particular format for this document, the federal government does maintain a standard format for Plan of Action with Milestones documents. This format was described in a memorandum from the Office of Management and Budget in 2001, and is still commonly used by government agencies today.

Who do you submit it to?

For Direct Awards

Your Plan of Action with Milestones will be part of the standard security acceptance package (SAP), submitted within 30 days of any contracts awarded after December 31st. Ultimately, the program managers and contracting officers associated with your government contract will have an opportunity to review your Plan of Action with Milestones. Under the upcoming acquisition guidelines, acceptance of your SAP will grant your organization authorization to operate (ATO) for the contract you were awarded.

For Subcontracts from a Prime Contractor

If your organization is receiving subcontracts based on an award to your “upstream” prime contractor, then your reporting structure will be driven by clauses in your purchase order or other contractual instrument. Under paragraph (m) of DFARS 252.204-7012, you’re required to submit any variances in your compliance to NIST 800-171 to the prime who awarded you work. The Plan of Action with Milestones is the appropriate document needed to accomplish this. The acquisition officers who oversee your prime’s contract will ultimately receive the document, as part of your prime’s reporting duties for their subcontractors.

Does this make you NIST 800-171 compliant?

Not exactly. A Plan of Action and Milestones is one of the main documents you need to submit to your contracting officer to continue fulfilling federal contracts. (The other two main documents are your System Security Plan and Incident Response Plan.) However, to become fully compliant you still have to follow through on your Plan of Action with Milestones, and that includes providing documentation of your progress along the way.

It’s important to note that contracting officers can still provide you with authorization to operate after December 31st, even if you aren’t fully compliant. As long as you can demonstrate continued progress towards meeting your milestones in a timely manner, contracting officers can continue to grant ATO on contracts.

It’s worth stating that ATO for noncompliant contractors will be much more difficult to attain for contracts that are deemed mission-critical, a national security concern, or those that are part of newly-designed platforms (containing lots of new intellectual property).

What are the next steps?

Compiling a comprehensive Plan of Action and Milestones takes time and effort. Following through on it even more so. But if you recognize how important compliance is to your organization and the security of your systems, the you know how important it is to cross every ‘t’ and dot every ‘i.’ If accomplishing this on your own sounds like a task beyond your expertise (or one that your IT department is too busy to handle), we can help.