CMMC v2.11 Practices

CA.L2-3.12.2  

Reference: CMMC v2.11

Family: CA

Level Introduced: 2

Title: Plan of Action

Practice:
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Further Discussion:
When you write a plan of action, define the clear goal or objective of the plan. You may include the following in the action plan:
• ownership of who is accountable for ensuring the plan’s performance;
• specific steps or milestones that are clear and actionable;
• assigned responsibility for each step or milestone;
• milestones to measure plan progress; and
• completion dates.

This requirement, CA.L2-3.12.2, which ensures developing and implementing plans of action to correct and reduce vulnerabilities in systems, is driven by risk management requirement RA.L2-3.11.1, which promotes periodically assessing risk to organizational systems. CA.L2-3.12.2 promotes monitoring security controls on an ongoing basis as defined in requirement CA.L2-3.12.3.

Example
As IT director, one of your duties is to develop action plans when you discover that your company is not meeting security requirements or when a security issue arises [b]. A recent vulnerability scan identified several items that need to be addressed so you develop a plan to fix them [b]. Your plan identifies the people responsible for fixing the issues, how to do it, and when the remediation will be completed [b]. You also define how to verify that the person responsible has fixed the vulnerability [b]. You document this in a plan of action that is updated as milestones are reached [b]. You have a separate resource review the modifications after they have been completed to ensure the plan has been implemented correctly [c].

Potential Assessment Considerations
• Is there an action plan to remediate identified weaknesses or deficiencies [a]?
• Is the action plan maintained as remediation is performed [b]?
• Does the action plan designate remediation dates and milestones for each item [c]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11