Requirement text: CA.2.159: Develop and implement plans of action designed to correct deficiencies
and reduce or eliminate vulnerabilities in organizational systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
The plan of action is a key document in the information security program. Organizations
develop plans of action that describe how any unimplemented security requirements will be
met and how any planned mitigations will be implemented. Organizations can document the
system security plan and plan of action as separate or combined documents and in any
chosen format.
Federal agencies may consider the submitted system security plans and plans of action as
critical inputs to an overall risk management decision to process, store, or transmit CUI on a
system hosted by a nonfederal organization and whether it is advisable to pursue an
agreement or contract with the nonfederal organization.
CMMC CLARIFICATION
When you write a plan of action, you should define the clear goal or objective of the plan.
You may include the following in the action plan:
• ownership of who is accountable for ensuring the plan’s performance;
• specific steps or milestones that are clear and actionable;
• assigned responsibility for each step or milestone;
• milestones to measure plan progress; and
• completion dates.
Note that receiving Cybersecurity Maturity Model Certification requires all practices and
processes to be implemented at the time of assessment. Any security requirements that
were part of a plan of action must be closed/met in order to be granted the CMMC
assessment.
Example 1
You are in charge of IT operations in your organization. Your job is to develop action plans
when you discover that your company isn’t meeting security requirements. One of your
sources of information is the output of vulnerability scans on your network. When you
receive notification of a vulnerability that needs fixing, you develop a plan to fix it. Your plan
identifies the person responsible for fixing it, how to do it, and when to do it. You will also
define how to measure that the person responsible has fixed the vulnerability. You
document this in a plan of action.
Example 2
A company that is CMMC L1 compliant seeks L3 compliance. The IT department tracks the
implementation of the additional security requirements needed for L3 in an action plan and
realizes that it will be more than 6 months before CMMC L3 requirements can be met.
Company officials refer to the action plan that indicates that CMMC L2 requirements are
currently met and decide to pursue CMMC L2 compliance instead of L3 and seek L3
certification next year.
References
• NIST SP 800-171 Rev 1 3.12.2
• CERT RMM v1.2 RISK:SG5.SP1
• NIST SP 800-53 Rev 4 CA-5