Important News:SafeLogic announces PQC Early Adopter Program at RSA Conference 2024 Learn more!

The SafeLogic Blog

The Problem with POA&Ms

March 30, 2021 Walt Paley

The Problem with POA&Ms

You did your 800-171 (the NIST publication on Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) self-assessment and did well. You even uploaded your report to SPRS (Supplier Performance Risk System). Most of the 110 controls were already all set and the leftovers were addressed with POA&Ms (Plan of Action & Milestones). You were feeling good about Cybersecurity Maturity Model Certification.

Then you got the word - CMMC  auditors won’t accept POA&Ms. Zero. None. Zilch.

For most of those leftover controls, that’s not a big deal. You were already firming up and completing the steps to meet the requirements. A few new protocols hadn’t been implemented yet, but internal training was already scheduled so it will be addressed shortly. You run back through the checklist and your actions are all going to fall into place and the POA&Ms will be removed with time to spare before the auditors arrive... except for one. FIPS-validated encryption.

The timeline to achieve FIPS 140 validation for encryption has traditionally been 12-18 months, but you heard that the CMVP (Cryptographic Module Validation Program) was under-resourced and running a deficit on their testing queue, so the timeline is definitely getting even worse. CMVP is something of a black box when it comes to timing, so the idea of waiting indefinitely for a FIPS validation is a non-starter. The C3PAO auditors (CMMC Third-Party Assessor Organization) aren’t going to accept that. This is the problem with POA&Ms. CMMC just isn’t allowing for that kind of deferral.

This is where SafeLogic excels.

The Problem with POA&MsOur RapidCert program, the simplified and accelerated FIPS validation service, is tied to our portfolio of CryptoComply modules. Each version of CryptoComply has already been lab tested, certified, and validated by the CMVP, which means that if you license, integrate, and deploy CryptoComply, we can initiate a RapidCert and have a validation in your name in less than 8 weeks. Yes, you read that correctly.

Forget the 12-18+ month waiting list. Forget about building a module from scratch and testing each algorithm individually. Forget about the documentation effort and coordinating with a lab. Forget about incurring hours with a consulting firm. And forget about pulling engineers from their product-focused tasks to ask them to deal with FIPS.

We will help you identify the right version of CryptoComply for your use case. Then it’s plug-and-play. You can even do the integration in parallel with our validation efforts to maximize the time savings and increase the competitive advantage. Don't waste any more time - if you need FIPS validated encryption to sell your products under CMMC certification, let's talk asap.

Walt Paley

Walt Paley

Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.

Share This:

Back to posts

Popular Posts

Search for posts


See all