Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pm-4

plan of action and milestones process

assessment objective:

Determine if the organization:  

pm-4(a)  

implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:

pm-4(a)(1)

pm-4(a)(1)[1]

are developed;

pm-4(a)(1)[2]

are maintained;

pm-4(a)(2)

document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation;

pm-4(a)(3)

are reported in accordance with OMB FISMA reporting requirements;

pm-4(b)  

reviews plans of action and milestones for consistency with:

pm-4(b)[1]

the organizational risk management strategy; and

pm-4(b)[2]

organization-wide priorities for risk response actions.

potential assessment methods and objects:

Examine: [select from: Information security program plan; plans of action and milestones; procedures addressing plans of action and milestones development and maintenance; procedures addressing plans of action and milestones reporting; procedures for review of plans of action and milestones for consistency with risk management strategy and risk response priorities; results of risk assessments associated with plans of action and milestones; OMB FISMA reporting requirements; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibility for developing, maintaining, reviewing, and reporting plans of action and milestones; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for plan of action and milestones development, review, maintenance, reporting; automated mechanisms supporting plans of action and milestones].