CA 5 PLAN OF ACTION AND MILESTONES - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
• b. Update existing plan of action and milestones [ Assignment: organization-defined frequency ] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

Discussion: Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

Related Controls: CA-2, CA-7, PM-4, PM-9, RA-7, SI-2, SI-12.

Control Enhancements:

• (1) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY
  Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Using automated tools helps maintain the accuracy, currency, and availability of the plan of action and milestones and facilitates the coordination and sharing of security and privacy information throughout the organization. Such coordination and information sharing help to identify systemic weaknesses or deficiencies in organizational systems and ensure that appropriate resources are directed at the most critical system vulnerabilities in a timely manner.

  Related Controls: None.

References: [OMB A-130], [SP 800-37].