Level 2


The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.  Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-7 including templates for plans of action.

Priority: Low


Category: Documentation 

Services Associated with AWS:   

  • AWS Config, AWS Security Hub, AWS Identity and Access Management (IAM)

Services Associated with Azure:

  • Azure Policy 
  • Azure Key Vault  
  • Plan of Action and Milestones (POA&M) documentation 
  • Azure Active Directory (Azure AD) 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative:  documented Plan of Action & Milestones (POA&M) 

Possible Technology Considerations : 

  • Risk Management Program (RMP)
  • Risk Assessment Solution
  • Risk Register / POA&M Solution 

What needs to be answered :  

Is there an action plan to remediate identified weaknesses or deficiencies? Is the action plan maintained as remediation is performed? Does the action plan designate remediation dates and milestones for each item? Are deficiencies and weaknesses identified in security requirements assessments added to the action plan within a specified timeframe (30 days) of the findings being reported? 

Checks for AWS 

  • Development of Plans of Action for Security Deficiencies
    Description: This check ensures that plans of action are developed to address unimplemented security requirements and to describe how any planned mitigations will be implemented. The aim is to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
  • Implementation of Plans of Action
    Description: This check verifies that the developed plans of action are being effectively implemented. The objective is to ensure that the devised strategies are operational, and the mitigation measures are being adopted.
  • System Security Plan and Plan of Action Documentation
    Description: This check confirms that the system security plan and plan of action are documented properly, either as separate or combined documents, in any chosen format. The documentation should be thorough and provide critical inputs for risk management decisions.

Checks for Azure 

  • Documentation of Security Requirements
  • Description: This policy ensures that documented policies, standards, and procedures are in place to address security requirements for the Azure environment. It verifies the existence of written documentation that outlines the security controls and best practices to be followed by IT staff and other stakeholders.
  • Documented Plan of Action & Milestones (POA&M)
  • Description: This policy verifies the existence of a documented Plan of Action & Milestones (POA&M) for the Azure environment. The POA&M should describe how any identified weaknesses or deficiencies will be remediated, and it should designate remediation dates and milestones for each item.
  • Risk Management Program (RMP)
  • Description: This policy checks for the implementation of a Risk Management Program (RMP) within the organization. The RMP should outline the process of identifying, assessing, and managing risks related to the Azure environment.
  • Risk Assessment Solution
  • Description: This policy ensures that a Risk Assessment Solution is in place to assess and analyze potential risks to the Azure environment. The solution may involve automated risk assessment tools or manual evaluation processes.
  • Risk Register / POA&M Solution
  • Description: This policy checks for the presence of a Risk Register or a solution that incorporates the Plan of Action & Milestones (POA&M) for the Azure environment. The risk register should track identified risks and their associated remediation actions.

More Details:   

Disaster recovery and risk mitigation plans in place and implemented by IT support staff.