CMMC Gap Remediation SOP

Sub-procedure of cmmc-sop.md

Overview

Detailed procedures for remediating identified CMMC gaps, including POA&M development, remediation planning, implementation guidance, and validation requirements. This sub-procedure covers the remediation phase following the CMMC assessment.

Scope

Parent SOP: CMMC Assessment Pillar: Protect (Security & Compliance) Service Area: CMMC Gap Remediation

Prerequisites

• Parent SOP requirements met
• CMMC assessment completed with gap register
• SPRS score calculated and submitted to SPRS
• Remediation engagement scoped and approved
• Client remediation team identified
• Budget and timeline approved

Procedure

Step 1: POA&M Development

Objective: Create compliant Plan of Action and Milestones

POA&M Requirements per CMMC:

Element	Requirement	Compliance Note
Timeline	Maximum 180 days for all items	Non-negotiable deadline
Coverage	Maximum 80% of controls on POA&M	Must have 20%+ fully implemented
Specificity	Detailed milestones with dates	Vague POA&Ms rejected
Progress	Demonstrable progress toward completion	Evidence of ongoing work

POA&M Template Fields:

Field	Description	Example
POA&M ID	Unique identifier	POAM-2026-001
Weakness/Gap	Description of deficiency	MFA not implemented for remote access
NIST 800-171 Requirement	Specific requirement reference	AC.L2-3.1.12
Point of Contact	Responsible individual	IT Security Manager
Scheduled Completion	Target date (max 180 days)	2026-06-15
Milestones	Specific intermediate steps	1. Select MFA solution (30d), 2. Deploy to pilot (60d), etc.
Milestone Dates	Due dates for each milestone	2026-03-01, 2026-04-01, etc.
Resources	Budget, personnel, tools needed	$15,000, 2 FTE, Azure AD P2
Risk Level	High/Medium/Low	High
Status	Not Started/In Progress/Completed	In Progress
Evidence	Documentation of completion	Configuration screenshot, test results

POA&M Development Process:

1. Prioritize Gaps - Order by severity, dependencies, resource constraints
2. Define Milestones - Break each gap into measurable steps
3. Assign Owners - Identify responsible parties
4. Set Timelines - Realistic dates within 180-day maximum
5. Estimate Resources - Budget, personnel, tools
6. Validate Feasibility - Confirm plan is achievable
7. Document in POA&M - Complete all required fields
8. Obtain Approval - Executive sign-off on POA&M

Step 2: Remediation Planning

Objective: Create actionable remediation roadmap

Remediation Phases:

Phase	Timeline	Focus Areas
Immediate	Days 1-30	Quick wins, critical gaps, blocking issues
Short-Term	Days 30-60	High-priority controls, policy gaps
Medium-Term	Days 60-120	Technical implementations, process changes
Completion	Days 120-180	Final items, validation, documentation

Remediation Categories:

Category	Typical Items	Approach
Documentation	Policies, procedures, SSP updates	Template-based, SBK-led
Technical	Configuration, tools, infrastructure	IT-led, SBK guidance
Process	Workflows, training, procedures	Business-led, SBK guidance
Third-Party	Vendor solutions, cloud services	Procurement + implementation

Resource Planning Matrix:

Resource Type	Examples	Allocation Method
Internal IT	System administrators, network engineers	Hours per remediation item
Internal Business	Process owners, trainers	Hours per remediation item
SBK Consulting	Policy development, guidance, validation	Engagement hours
Third-Party Vendors	Tool vendors, implementation partners	Project-based
Budget	Software, hardware, services	Per-item estimation

Step 3: Policy and Procedure Remediation

Objective: Address documentation gaps

Standard Policy Templates Provided:

Policy	NIST 800-171 Coverage	Customization Required
Information Security Policy	Multiple families	Organization-specific context
Access Control Policy	AC family	System-specific procedures
Configuration Management Policy	CM family	Baseline definitions
Incident Response Policy	IR family	Contact information, procedures
Media Protection Policy	MP family	Media handling procedures
Personnel Security Policy	PS family	HR integration
Risk Management Policy	RA, CA families	Risk tolerance, assessment process
System & Communications Protection Policy	SC family	Technical specifications

Procedure Development Process:

1. Review Template - Assess SBK template against environment
2. Customize - Adapt for organizational structure and systems
3. Stakeholder Review - IT, HR, Legal, Business review
4. Executive Approval - Formal policy approval
5. Communication - Distribute to affected personnel
6. Training - Train on new procedures
7. Acknowledgment - Collect signed acknowledgments
8. SSP Update - Update SSP with policy references

Step 4: Technical Remediation

Objective: Implement technical controls

Common Technical Remediation Areas:

Access Control (AC):

Requirement	Remediation Approach	Tools/Technologies
AC.L2-3.1.5 - Least Privilege	Implement RBAC, regular access reviews	Azure AD, Active Directory
AC.L2-3.1.12 - Remote Access	Deploy MFA for all remote access	Duo, Azure MFA, RSA
AC.L2-3.1.14 - Wireless Access	Secure wireless configuration	WPA3, certificate auth

Identification & Authentication (IA):

Requirement	Remediation Approach	Tools/Technologies
IA.L2-3.5.3 - MFA	Implement MFA for CUI access	Duo, Azure MFA, YubiKey
IA.L2-3.5.7 - Password Complexity	Enforce strong password policy	AD GPO, IdP configuration
IA.L2-3.5.10 - Password Reuse	Configure password history	AD GPO, IdP configuration

System & Communications Protection (SC):

Requirement	Remediation Approach	Tools/Technologies
SC.L2-3.13.1 - Boundary Protection	Network segmentation, firewall rules	Firewall, VLAN, microsegmentation
SC.L2-3.13.8 - Data in Transit	TLS 1.2+ for all CUI transmission	Certificate management, HTTPS
SC.L2-3.13.11 - FIPS Encryption	Deploy FIPS 140-2 validated modules	FIPS-validated solutions
SC.L2-3.13.16 - Data at Rest	Encrypt all CUI storage	BitLocker, LUKS, Azure Encryption

Audit & Accountability (AU):

Requirement	Remediation Approach	Tools/Technologies
AU.L2-3.3.1 - Audit Logs	Configure comprehensive logging	SIEM, log management
AU.L2-3.3.2 - User Accountability	Enable user attribution in logs	Centralized logging
AU.L2-3.3.4 - Audit Failure Alerting	Configure alerting for log failures	SIEM alerting

Step 5: Evidence Collection for Remediation

Objective: Document remediation with evidence

Evidence Requirements per Remediation:

Evidence Type	Purpose	Examples
Before State	Baseline documentation	Previous configuration screenshots
Implementation	Proof of change	Change tickets, deployment records
After State	Current configuration	Configuration screenshots, test results
Testing	Validation of effectiveness	Test cases, results
Approval	Authorization documentation	Approval emails, sign-offs

Evidence Organization:

/CMMC-Remediation-Evidence/
├── POA&M/
│   ├── POAM-Current.xlsx
│   └── POAM-History/
├── By-Requirement/
│   ├── AC/
│   │   ├── AC.L2-3.1.5/
│   │   ├── AC.L2-3.1.12/
│   │   └── ...
│   ├── IA/
│   ├── SC/
│   └── ...
└── SSP-Updates/

Step 6: Remediation Validation

Objective: Verify remediation effectiveness

Validation Activities:

Activity	Purpose	Method
Configuration Review	Verify settings match requirements	Technical review
Control Testing	Confirm control operates as intended	Functional testing
Evidence Validation	Ensure evidence is complete and accurate	Documentation review
SSP Update	Update SSP with implementation details	Document revision
POA&M Update	Mark items complete with evidence	POA&M maintenance
SPRS Update	Update SPRS score if significantly improved	SPRS portal

Validation Checklist per Remediated Item:

• Implementation complete per remediation plan
• Configuration validated against requirement
• Control tested and confirmed effective
• Evidence collected (before, implementation, after)
• SSP updated with implementation details
• POA&M item marked complete with evidence
• Control owner sign-off obtained

Deliverables

Deliverable	Format	Owner
POA&M Document	Excel (DoD format)	SBK Lead
Remediation Roadmap	Project plan	Project Manager
Policy Templates (customized)	Word/PDF	SBK Consultant
Technical Implementation Guides	Word/PDF	SBK Technical Lead
Evidence Package	Organized folders	Client IT
Updated SSP	Word/PDF	SBK Consultant
SPRS Score Update	Portal submission	Client
Remediation Completion Report	Executive summary	SBK Lead

Quality Gates

• POA&M meets CMMC requirements (180 days, <80% on POA&M)
• All critical gaps addressed in first 30 days
• All high gaps addressed within 90 days
• Policies approved and distributed
• Technical controls validated through testing
• Evidence collected for all remediated items
• SSP updated with current state
• SPRS score improved and updated
• Client sign-off on remediation completion

Related Documents

• Parent SOP: CMMC Assessment
• CMMC Assessment SOP
• CMMC Certification Prep SOP
• Cross-Pillar SOPs
• Policy Templates

---

Last Updated: February 2026 Parent SOP: cmmc-sop.md