03.12.02: Plan of Action and Milestones
Control Familly: Security Assessment and Monitoring
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-37 [59]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.12.02
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
CA-05
a. Develop a plan of action and milestones for the system:
1. To document the planned remediation actions to correct weaknesses or deficiencies noted during security assessments and
2. To reduce or eliminate known system vulnerabilities.
b. Update the existing plan of action and milestones based on the findings from:
1.Security assessments,
2. Audits or reviews, and
3. Continuous monitoring activities.
Discussion:
Plans of action and milestones (POAMs) are important documents in organizational security programs. Organizations use POAMs to describe how unsatisfied security requirements will be met and how planned mitigations will be implemented. Organizations can document system security plans and POAMs as separate or combined documents in any format. Federal agencies may consider system security plans and POAMs as inputs to risk-based decisions on whether to process, store, or transmit CUI on a system hosted by a nonfederal organization.
Assessment Methods and Objectives
Examine [SELECT FROM: security assessment and monitoring policy and procedures; procedures for plans of action and milestones; security assessment plan; security assessment report; security assessment evidence; plan of action and milestones; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with plans of action and milestones development and implementation responsibilities; personnel with information security responsibilities]
Test [SELECT FROM: mechanisms for developing, implementing, and maintaining plans of action and milestones]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.12.02.a.01: a plan of action and milestones for the system is developed to document the planned remediation actions for correcting weaknesses or deficiencies noted during security assessments.
A.03.12.02.a.02: a plan of action and milestones for the system is developed to reduce or eliminate known system vulnerabilities.
A.03.12.02.b.01: the existing plan of action and milestones is updated based on the findings from security assessments.
A.03.12.02.b.02: the existing plan of action and milestones is updated based on the findings from audits or reviews.
A.03.12.02.b.03: the existing plan of action and milestones is updated based on the findings from continuous monitoring activities.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A