PM-04-727 Plan of Action and Milestones Process

Plan of Action and Milestones Process

Control ID

PM-04-727

Control Name

Plan of Action and Milestones Process

Control Category

Program Management

Functional Areas

Identify

Sub-Areas

Enterprise Security Policy, Standards and Guidelines

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

February 15, 2018

Agency Implementation

The chief information security officer includes a plan of action and milestones into the annual information security program plan that is approved by the agency director. Any vulnerabilities identified on an information resource require a plan of action and milestones to be submitted to and approved by the chief information security officer within 30 days following the discovery of an unremediated vulnerability.

Risk Statement

Performance monitoring, assessment and reporting are not performed appropriately whereby remedial actions are not identified or initiated.

Control Description

The organization: a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: 1. Are developed and maintained; 2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3. Are reported in accordance with OMB FISMA reporting requirements. b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Control Example

The organization reports, documents and updates a risk analysis and plans for corrective actions.

State Implementation

The state organization develops and updates, a plan of action and milestone process for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.

Testing Procedures

Obtain Information security program policy; plan of action and milestones policy; procedures addressing plan of action and milestones process; plan of action and milestones for the security program; plan of action and milestones for organizational information systems; other relevant documents or records and ascertain if: (I) the organization implements a process to maintain plans of action and milestones for the security program and the associated organizational information systems; and (ii) the organization implements a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.