The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.  Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-7 including templates for plans of action. 

Priority: Low

Category: Documentation 

Services Associated with AWS:   

  • AWS Config, AWS Security Hub, AWS Identity and Access Management (IAM)

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative:  documented Plan of Action & Milestones (POA&M) 

Possible Technology Considerations : 

  • Risk Management Program (RMP)
  • Risk Assessment Solution
  • Risk Register / POA&M Solution 

What needs to be answered :  

Is there an action plan to remediate identified weaknesses or deficiencies? Is the action plan maintained as remediation is performed? Does the action plan designate remediation dates and milestones for each item? Are deficiencies and weaknesses identified in security requirements assessments added to the action plan within a specified timeframe (30 days) of the findings being reported? 

  • Development of Plans of Action for Security Deficiencies
    Description: This check ensures that plans of action are developed to address unimplemented security requirements and to describe how any planned mitigations will be implemented. The aim is to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
  • Implementation of Plans of Action
    Description: This check verifies that the developed plans of action are being effectively implemented. The objective is to ensure that the devised strategies are operational, and the mitigation measures are being adopted.
  • System Security Plan and Plan of Action Documentation
    Description: This check confirms that the system security plan and plan of action are documented properly, either as separate or combined documents, in any chosen format. The documentation should be thorough and provide critical inputs for risk management decisions.

More Details:   

Disaster recovery and risk mitigation plans in place and implemented by IT support staff.