Back to Control Explorer
CA.2.159
Content
Control Acronym
CA
Family
Security Assessment
CMMC Level
2
800-171 Control #
3.12.2
CMMC Description
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
CMMC Clarification
When you write a plan of action, you should define the clear goal or objective of the plan. You may include the following in the action plan: * ownership of who is accountable for ensuring the plan’s performance * specific steps or milestones that are clear and actionable * assigned responsibility for each step or milestone * milestones to measure plan progress * completion dates. Note that receiving Cybersecurity Maturity Model Certification requires all practices and processes to be implemented at the time of assessment. Any security requirements that were part of a plan of action must be closed/met in order to be granted the CMMC assessment. Example 1 You are in charge of IT operations in your organization. Your job is to develop action plans when you discover that your company isn’t meeting security requirements. One of your sources of information is the output of vulnerability scans on your network. When you receive notification of a vulnerability that needs fixing, you develop a plan to fix it. Your plan identifies the person responsible for fixing it, how to do it, and when to do it. You will also define how to measure that the person responsible has fixed the vulnerability. You document this in a plan of action. Example 2 A company that is CMMC L1 compliant seeks L3 compliance. The IT department tracks the implementation of the additional security requirements needed for L3 in an action plan and realizes that it will be more than 6 months before CMMC L3 requirements can be met. Company officials refer to the action plan that indicates that CMMC L2 requirements are currently met and decide to pursue CMMC L2 compliance instead of L3 and seek L3 certification next year.
800-171 Description
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
800-171 Discussion
The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action.
Other Source Discussion
N/A
CIS Control References
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 CA-5
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.12.2
Applicable FAR Clause
NIST CSF Control Reference
CERT RMM Reference
CERT RMM v1.2 RISK:SG5.SP1
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
CA.2.159.[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
Assessment Sub-Criteria 2
CA.2.159.[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
Assessment Sub-Criteria 3
CA.2.159.[c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.