Back to Control Explorer



Control Acronym



Security Assessment

CMMC Level


800-171 Control #


CMMC Description

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

CMMC Clarification

When you write a plan of action, you should define the clear goal or objective of the plan. You may include the following in the action plan: * ownership of who is accountable for ensuring the plan’s performance * specific steps or milestones that are clear and actionable * assigned responsibility for each step or milestone * milestones to measure plan progress * completion dates. Note that receiving Cybersecurity Maturity Model Certification requires all practices and processes to be implemented at the time of assessment. Any security requirements that were part of a plan of action must be closed/met in order to be granted the CMMC assessment. Example 1 You are in charge of IT operations in your organization. Your job is to develop action plans when you discover that your company isn’t meeting security requirements. One of your sources of information is the output of vulnerability scans on your network. When you receive notification of a vulnerability that needs fixing, you develop a plan to fix it. Your plan identifies the person responsible for fixing it, how to do it, and when to do it. You will also define how to measure that the person responsible has fixed the vulnerability. You document this in a plan of action. Example 2 A company that is CMMC L1 compliant seeks L3 compliance. The IT department tracks the implementation of the additional security requirements needed for L3 in an action plan and realizes that it will be more than 6 months before CMMC L3 requirements can be met. Company officials refer to the action plan that indicates that CMMC L2 requirements are currently met and decide to pursue CMMC L2 compliance instead of L3 and seek L3 certification next year.

800-171 Description

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

800-171 Discussion

The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 CA-5

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.12.2

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

CA.2.159.[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;

Assessment Sub-Criteria 2

CA.2.159.[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and

Assessment Sub-Criteria 3

CA.2.159.[c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15