CA-05-727 Plan of Action and Milestones

Plan of Action and Milestones

Control ID

CA-05-727

Control Name

Plan of Action and Milestones

Control Category

Security Assessment and Authorization

Functional Areas

Sub-Areas

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

August 24, 2016

Agency Implementation

The information resource owner shall develop a plan of action and milestones for any information resources identified during a security assessment or continuous monitoring as having security deficiencies. The plan of action shall outline the steps the information resource owner or custodian will undertake to remediate the deficiencies, compensating controls that will be implemented to mitigate the risk in the interim, and any proposed security control exceptions that will be requested as part of the mitigation. The plan of action shall be submitted to the chief information security officer within 30 days following receipt of a security assessment report, and approved by the chief information security officer within 30 days thereafter. Status updates to the plan of action and milestones shall be submitted to the chief information security officer every 30 days after approval is received until all deficiencies are remediated.

Risk Statement

Identified risks are not accepted, mitigated or responded to with actionable plans and decisions.

Control Description

The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

Control Example

An organization tracks and reports on control deficiencies through a defined plan of action and milestone document.

State Implementation

The state organization develops and updates, a plan of action and milestones for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.

Testing Procedures

Obtain certification and accreditation policy; procedures addressing plan of action and milestones; security plan; security assessment plan; security assessment report; assessment evidence; plan of action and milestones; other relevant documents or records and ascertain if : (I)the organization develops a plan of action and milestones for the information system. (ii)the plan of action and milestones documents the planned, implemented, and evaluated remedial actions by the organization to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. (iii)the organization defines in the security plan, explicitly or by reference, the frequency of plan of action and milestone updates. (iv)the organization updates the plan of action and milestones at an organization-defined frequency.