3.12.2—Security Assessment - Basic
>Control Description
>Discussion
The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.
Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern developing and implementing remediation plans?
- •What procedures define corrective action for assessment findings?
- •Who approves and monitors plan of action milestones (POA&Ms)?
- •How often are POA&Ms reviewed and updated?
- •What governance ensures remediation plans are executed?
Technical Implementation:
- •What systems track POA&Ms and remediation status?
- •How do you prioritize remediation activities?
- •What project management tools support remediation plans?
- •How do you validate remediation actions are effective?
- •What automated tracking reports on POA&M progress?
Evidence & Documentation:
- •Can you provide current plans of action and milestones?
- •What documentation shows remediation plan approvals?
- •Can you demonstrate remediation progress tracking?
- •What evidence shows completed remediation actions?
- •What audit reports verify POA&M management compliance?
Ask AI
Configure your API key to use AI features.