CA-05-727 Plan of Action and Milestones

Plan of Action and Milestones

CA-05-727
Plan of Action and Milestones
Security Assessment and Authorization
LOW, MOD, HIGH
P3
Yes
August 24, 2016

The information resource owner shall develop a plan of action and milestones for any information resources identified during a security assessment or continuous monitoring as having security deficiencies. The plan of action shall outline the steps the information resource owner or custodian will undertake to remediate the deficiencies, compensating controls that will be implemented to mitigate the risk in the interim, and any proposed security control exceptions that will be requested as part of the mitigation. The plan of action shall be submitted to the chief information security officer within 30 days following receipt of a security assessment report, and approved by the chief information security officer within 30 days thereafter. Status updates to the plan of action and milestones shall be submitted to the chief information security officer every 30 days after approval is received until all deficiencies are remediated.

Identified risks are not accepted, mitigated or responded to with actionable plans and decisions.
The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
An organization tracks and reports on control deficiencies through a defined plan of action and milestone document.
The state organization develops and updates, a plan of action and milestones for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
Obtain certification and accreditation policy; procedures addressing plan of action and milestones; security plan; security assessment plan; security assessment report; assessment evidence; plan of action and milestones; other relevant documents or records and ascertain if : (I)the organization develops a plan of action and milestones for the information system. (ii)the plan of action and milestones documents the planned, implemented, and evaluated remedial actions by the organization to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. (iii)the organization defines in the security plan, explicitly or by reference, the frequency of plan of action and milestone updates. (iv)the organization updates the plan of action and milestones at an organization-defined frequency.