CA.L2-3.12.2  

Reference: CMMC 2.11

Family: CA

Level Introduced: 2

Title: Plan of Action

Practice:
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

CMMC Clarification:
When you write a plan of action, you should define the clear goal or objective of the plan. You may include the following in the action plan:
• ownership of who is accountable for ensuring the plan's performance;
• specific steps or milestones that are clear and actionable;
• assigned responsibility for each step or milestone;
• milestones to measure plan progress; and
• completion dates.
Note that receiving Cybersecurity Maturity Model Certification requires all practices and processes to be implemented at the time of assessment. Any security requirements that were part of a plan of action must be closed/met in order to be granted the CMMC assessment.

Example 1
You are in charge of IT operations in your organization. Your job is to develop action plans when you discover that your company isn't meeting security requirements. One of your sources of information is the output of vulnerability scans on your network. When you receive notification of a vulnerability that needs fixing, you develop a plan to fix it. Your plan identifies the person responsible for fixing it, how to do it, and when to do it. You will also define how to measure that the person responsible has fixed the vulnerability. You document this in a plan of action.

Example 2
A company that is CMMC L1 compliant seeks L3 compliance. The IT department tracks the implementation of the additional security requirements needed for L3 in an action plan and realizes that it will be more than 6 months before CMMC L3 requirements can be met. Company officials refer to the action plan that indicates that CMMC L2 requirements are currently met and decide to pursue CMMC L2 compliance instead of L3 and seek L3 certification next year.

Source: CMMC v2.0