CMMC Level 2 POA&M Case Study
Executive Summary
This System Operating Policies & Milestones (SOP&M) document is a sanitized case study based on a real engagement preparing a mid-sized defense contractor for CMMC Level 2.
Engagement Context: This initial CMMC Level 2 assessment was delivered solo in 4 days, covering all 14 domains (110 controls) with evidence capture. The deliverables included a 72-page POA&M and a leadership next-steps memo summarizing findings and recommended prioritiesβall completed within the same tight 4-day window.
The original internal document served as both a Plan of Action & Milestones (POA&M) for tracking all remediation work, and a Security Program Implementation Plan feeding into the System Security Plan (SSP).
For this client, I:
- Performed a control-by-control assessment across all 14 CMMC domains (110 controls).
- Conducted evidence capture and gap analysis for each domain.
- Documented weaknesses, planned actions, ownership, and milestones.
- Designed a policy + SOP stack that turned ad-hoc IT operations into a structured compliance program.
- Authored an executive summary and next-steps memo for leadership to understand findings and prioritize remediation.
About This Portfolio Version:
The complete internal SOP&M/POA&M document spans 72+ pages with detailed control-by-control analysis, gap assessments, remediation plans, and policy deliverables across all 14 CMMC domains.
For portfolio presentation purposes, this page highlights key representative domains to demonstrate the depth, structure, and methodology of the work. Each domain follows the same format: gap identification β remediation actions β policy deliverables.
All client-specific details (company name, domains, IP ranges, locations, ticket IDs, etc.) have been removed or generalized. The structure, analysis, and remediation approach are preserved to demonstrate my work.
Document Metadata
| Document Type | System Operating Policies & Milestones (SOP&M) / POA&M |
|---|---|
| Author | Jeremy Tarkington (solo assessment and documentation) |
| Role | Systems Engineer III (MSP) |
| Timeline | 4 days (initial assessment, evidence capture, 72-page POA&M, and leadership memo) |
| Scope | 14 CMMC domains, 110 controls (NIST SP 800-171 Rev 2) |
| Frameworks | NIST SP 800-171 Rev 2, CMMC Level 2 |
| Classification | Sanitized case study β client identifiers removed |
Program Governance and Ownership
To keep CMMC work repeatable and auditable, I defined a simple governance structure:
Roles
- CMMC Program Manager / Security Officer β Owns CMMC implementation and documentation; maintains SSP & POA&M
- IT Director / Systems Engineer β Implements technical safeguards; maintains configurations, GPOs, firewall rules
- Compliance Coordinator β Tracks policy approvals and version control; ensures documents are stored correctly
- Executive Management β Provides resources; approves major remediation steps and budgets
Review Cadence
- Quarterly Internal Review β Update POA&M; review high-risk gaps and progress
- Annual Management Review β Re-approve policies; confirm SSP and POA&M reflect current reality
- External Assessment (C3PAO) β Planned once the environment meets CMMC Level 2 baseline
Policy and SOP Index
This engagement required building an entire policy + SOP stack mapped to CMMC domains:
| Domain (CMMC) | Policy / SOP Examples |
|---|---|
| 3.1 β Access Control | AC-01, PA-01, AM-01, RA-01, WA-01, MD-01, MH-01 |
| 3.2 β Awareness and Training | SA-01, SA-01-SOP, SA-RACI |
| 3.3 β Audit and Accountability | AU-01, AU-01-SOP, AU-AUTH, log review templates |
| 3.4 β Configuration Management | CM-01, CM-01-SOP, CC-01, SHC-01, AW-01, ES-01 |
| 3.5 β Identification & Authentication | IA-01, IA-02, IA-MFA-SOP, IA-PASS-SOP, PA-01 |
| 3.6 β Incident Response | IR-01, IR-01-SOP, IR-REG, IR-TEST-SOP |
| 3.7 β Maintenance | MA-01, MA-REMOTE-SOP, MA-SUP-SOP, MA-SAN-SOP |
| 3.8 β Media Protection | MP-01, MP-ACCESS-SOP, MP-SAN-SOP, MP-USB-SOP |
| 3.9 β Personnel Security | PS-01, PS-VET-SOP, PS-TERM-SOP |
| 3.10 β Physical Protection | PE-01, PE-ACCESS-SOP, PE-LOG-SOP, PE-VIS-SOP |
| 3.11 β Risk Assessment | RA-01, RA-ASSESS-SOP, RA-RR-01, RA-VM-01 |
| 3.12 β Security Assessment | CA-01, CA-POAM-SOP, CA-MON-SOP, SSP-01 |
| 3.13 β System & Communications Prot. | SC-01, SC-FW-POL, SC-SEG-SOP, SC-CRYPTO-POL |
| 3.14 β System & Information Integrity | SI-PATCH-POL, SI-MAL-POL, SI-TDR-POL |
Domain-by-Domain Analysis
The full document contains detailed analysis for all 14 CMMC domains. Below are representative examples showing the assessment methodology, gap identification, remediation planning, and policy development approach used throughout the engagement.
Each domain analysis includes: (1) Key Gaps Identified, (2) Remediation / Planned Actions, and (3) Policy & Documentation Deliverables.
- No formal Access Control Policy (AC-01) or privileged access policy.
- Users widely over-privileged (many in local Administrators groups, shared admin accounts).
- Encryption and removable media controls inconsistent (BitLocker not enforced).
- No documented account lockout, session lock, or auto-logoff standards.
- RDP exposed internally without a clear remote access policy.
- Wireless and mobile devices unmanaged (no MDM, WPA2-Personal, shared keys).
- Draft and implement AC-01, PA-01, AM-01 policies
- Remove shared/admin-by-default usage; implement least-privilege roles
- Enforce access controls via GPOs (session lock β€15 minutes, login banners, account lockout)
- Implement BitLocker and removable media controls (BitLocker To Go, GPO-based USB policies)
- Restrict RDP to internal network only; require VPN for external access
- Begin rollout of MDM for laptops/phones and move Wi-Fi to WPA2/WPA3-Enterprise with RADIUS
- AD user accounts existed, but some shared and service accounts were in use
- MFA not enforced for either remote access or privileged accounts
- No documentation of replay-resistant authentication, password complexity, or temporary password handling
- Inactive accounts remained enabled beyond acceptable timeframes
- Update IA-01 Account Management Policy and create supporting SOPs
- Enforce MFA for all user logins (especially remote access and admin accounts), VPN and management portals
- Create dedicated admin accounts separate from user identities
- Harden password policy (minimum length 12, complexity requirements, history and lockout)
- Implement automated inactive account disablement and regular account reviews
- Document cryptographic and Kerberos/NTLM hardening in SOPs
- Tools existed (Huntress, Axcient), but no formal Incident Response Plan (IR-01)
- No incident classification, severity levels, or escalation paths
- No centralized incident register
- No tabletop exercises or IR testing evidence
- Build a NIST SP 800-61 aligned Incident Response Program (Preparation, detection, analysis, containment, eradication, recovery)
- Create IR-01 Incident Response Policy and IR-01-SOP
- Stand up an Incident Tracking Register (IR-REG) integrated with ticketing
- Define and document a severity model, SLAs, and communications plan
- Run at least one tabletop exercise and one simulated incident annually
- No formal risk assessment process or risk register
- Vulnerability management was ad-hoc (tool alerts only, no policy or schedule)
- No remediation tracking or prioritization
- Create RA-01 Risk Management Policy and RA-ASSESS-SOP
- Stand up a Risk Register (RA-RR-01) with impact/likelihood ratings
- Build a Vulnerability Management Policy (RA-VM-01) and schedule internal + external scans
- Implement remediation tracking and validation workflow
Additional Domains Covered
The full SOP&M/POA&M document includes the same level of detailed analysis for the remaining CMMC domains:
- Domain 3.2 β Security Awareness & Training β Developed SA-01 policy, training program structure, LMS tracking, insider threat awareness, and role-based training content for end users, admins, and managers.
- Domain 3.3 β Audit and Accountability β Created AU-01 policy, standardized log sources and retention (β₯90 days), configured NTP synchronization, implemented log integrity controls and review cadence.
- Domain 3.4 β Configuration Management β Built CM-01 and CC-01 policies, defined baseline configurations, disabled legacy protocols (NetBIOS, LLMNR, PowerShell v2), implemented AppLocker/WDAC application control.
- Domain 3.7 β Maintenance β Implemented MA-01 policy, restricted maintenance tool access via RBAC, required media sanitization before off-site repair, enforced MFA for remote maintenance sessions.
- Domain 3.8 β Media Protection β Deployed full-disk encryption (BitLocker), removable media controls, CUI marking standards, media sanitization procedures (NIST 800-88), chain-of-custody logging.
- Domain 3.9 β Personnel Security β Defined PS-01 policy, pre-employment screening requirements, built HR-IT integrated offboarding workflow, quarterly inactive account reviews.
- Domain 3.10 β Physical Protection β Deployed physical access controls (locks, keycards, cameras), visitor management and escort procedures, key/access device tracking, remote work CUI handling policy.
- Domain 3.12 β Security Assessment β Published CA-01 policy, implemented POA&M tracking process, designed complete SSP-01 System Security Plan, established continuous monitoring SOPs.
- Domain 3.13 β System and Communications Protection β Created SC-01 network security policy, documented network segmentation and firewall baselines, implemented DLP controls, cryptographic and key management policies (FIPS), remote collaboration controls.
- Domain 3.14 β System and Information Integrity β Developed patch management and malware protection policies with SLAs, threat detection and response procedures, alert handling SOPs, system use monitoring policies.
Continuous Improvement and Next Steps
For this client, the SOP&M/POA&M became:
- The central roadmap for CMMC Level 2 remediation, and
- The living companion to the SSP.
Key Next Steps in the Real Engagement
- Quarterly POA&M Reviews β Update remediation status; add new findings from scans and assessments
- Annual Management Review β Re-validate policies, SSP, and evidence; adjust priorities based on business and threat changes
- Evidence Retention & Audit Readiness β Maintain policies, screenshots, exports, and logs; keep a clean mapping from each CMMC practice β policy + technical control + evidence
Document Scope & Portfolio Presentation
Full Document Scope:
- 72+ pages of detailed control-by-control assessment
- Coverage of all 14 CMMC domains (3.1 through 3.14)
- Complete gap analysis, remediation roadmaps, and policy deliverables for each domain
- Control-by-control mapping to NIST SP 800-171 Rev 2 requirements
- Milestone tracking, ownership assignments, and evidence collection guidance
This Portfolio Version:
- Sanitized and condensed for public presentation (no client names, IP addresses, internal identifiers)
- Shows representative domain examples in full detail (Domains 3.1, 3.5, 3.6, 3.11)
- Summarizes remaining domains to demonstrate comprehensive coverage
- No screenshots or raw exports from the environment
- Focus is on demonstrating:
- My role in designing the compliance program
- The methodology and structure of POA&M/SSP development
- How I turn ad-hoc IT operations into a structured, evidence-driven compliance program
Full documentation available upon request. The complete internal SOP&M/POA&M includes granular control-by-control tables, detailed technical implementation steps, GPO configurations, evidence collection procedures, and live POA&M tracking templates.
Skills Demonstrated
- Rapid Assessment & Delivery β Completed solo 14-domain, 110-control CMMC assessment with evidence capture and 72-page deliverable in 4 days under tight deadline
- GRC & Compliance β CMMC Level 2, NIST SP 800-171 Rev 2 framework implementation
- Gap Analysis β Control-by-control assessment across 14 CMMC domains
- Policy Development β Design and implementation of comprehensive policy + SOP stack
- Executive Communication β Authored leadership next-steps memo distilling complex findings into actionable priorities
- Program Management β POA&M tracking, governance structure, review cadence
- Technical Implementation β GPO configuration, MFA deployment, BitLocker, MDM, RADIUS/Wi-Fi hardening
- Documentation β SSP, POA&M, policy templates, SOPs, and audit-ready evidence collection
- Risk Management β Risk register creation, vulnerability management program design