Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ca-5

plan of action and milestones  

assessment objective:

Determine if the organization:

ca-5(a)

develops a plan of action and milestones for the information system to:

ca-5(a)[1]  

document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;

ca-5(a)[2]

reduce or eliminate known vulnerabilities in the system;

ca-5(b)

ca-5(b)[1]

defines the frequency to update the existing plan of action and milestones;

ca-5(b)[2]

updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:

ca-5(b)[2][a]

security controls assessments;

ca-5(b)[2][b]

security impact analyses; and

ca-5(b)[2][c]

continuous monitoring activities.

potential assessment methods and objects:

Examine: [select from: Security assessment and authorization policy; procedures addressing plan of action and milestones; security plan; security assessment plan; security assessment report; security assessment evidence; plan of action and milestones; other relevant documents or records].

Interview: [select from: Organizational personnel with plan of action and milestones development and implementation responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms for developing, implementing, and maintaining plan of action and milestones].