CA-05 Plan Of Action And Milestones

    Control: The organization develops and updates [Assignment: organization-defined frequency], a plan of action and milestones for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.

    Supplemental Guidance: The plan of action and milestones is a key document in the security accreditation package developed for the authorizing official and is subject to federal reporting requirements established by OMB. The plan of action and milestones updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. NIST Special Publication 800-37 provides guidance on the security certification and accreditation of information systems. NIST Special Publication 800-30 provides guidance on risk mitigation.

    Control Enhancements: (0) None.

    Baseline: LOW CA-5 MOD CA-5 HIGH CA-5

    Family: Certification, Accreditation, And Security Assessments

    Class: Management

    ISO 17799 mapping: 15.2.1

    COBIT 4.1 mapping: ME2.7

    PCI-DSS v2 mapping: None.