CA.L2-3.12.2—Plan of Action
Level 2
800-171: 3.12.2
>Control Description
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy and process for developing plans of action and milestones?
- •How do you prioritize and track remediation of identified deficiencies?
- •Who is responsible for maintaining and monitoring POA&Ms?
- •What is your governance process for approving and closing POA&M items?
- •How often do you review and update active POA&Ms?
Technical Implementation:
- •What tools do you use to track POA&Ms (GRC tools, ticketing systems)?
- •How do you technically link POA&Ms to specific findings?
- •What systems track POA&M status and milestones?
- •How do you generate POA&M status reports?
- •What tools verify remediation actions have been completed?
Evidence & Documentation:
- •What system security plans (SSPs) document security controls?
- •What assessment reports demonstrate control testing?
- •What POA&M documents track remediation of deficiencies?
- •What continuous monitoring reports show ongoing control effectiveness?
- •What assessment procedures and test plans can you provide?
- •What evidence shows assessments are conducted by qualified personnel?
Ask AI
Configure your API key to use AI features.