The APCO (Approved Products Certification Office), which governs the Department of Defense Information Network Approved Products List (DoDIN APL), has taken action to suggest stronger enforcement of regulations regarding how companies address their open Plan of Action and Milestones (POA&Ms) within the APL listing process.
As directed under the Cybersecurity POA&M Rules of Engagement within the Unified Capabilities Requirements (UCR), companies must follow strict and specific guidance on creating, addressing, and solving open POA&Ms, or they could face, among other actions, removal from the APL.
In recent weeks, the APCO began to actively reach out to those companies coming up on their expiration date, notifying them of approaching deadlines; if missed, these past due actions could result in costly set backs and delays in listing.
Remaining On The APL:
If one of the three options is met prior to the expiration date, the POA&M will be closed out and the product will remain on the APL:
- Verification from government or military personnel responsible for overseeing the installation of the solution with the approved POA&M closed (preferred).
- Desktop Review of the fix to the solution by the test centers resulting in no additional testing.
- Desktop Review of the fix resulting in required V&V testing necessary to update the solution’s certification.
Failure To Address Open POA&Ms:
If none of the options to close the POA&Ms have been met by the expiration date, the following will be applied at IE (Infrastructure Directorate) leadership’s discretion:
- The Vendor either does not respond or responds negatively to the POA&M notification – This results in product removal from the APL.
- The Vendor responds that the POA&M conditions have been met but is currently in process to identify the best option to satisfactorily prove the closure to IE – This results in the product remaining on the APL with the expectation of an expeditious resolution (Timeline to be granted at IE leadership discretion).
- The Vendor responds that the fix is still in progress and requests additional time for the POA&M – This results in possible removal from the APL, based on IE leadership decision.
Still Have Questions:
If you are unsure as to the status of your POA&Ms, how the enforcement of this policy may affect your listing, or need additional assistance meeting your expiration timeline, Contact Corsec and we can help you get back on track and selling into the DoD.
You can always check us out on Social Media or Subscribe to our emails to get recent updates on certifications, industry news, and changes to the Federal landscape: