Navigate

CCI-000170

CCI-000170 Definition

Implement a process to ensure that plans of action and milestones for the security program and associated organizational systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - a process to ensure that plans of action and milestones for the information security program and associated Organizational systems document remedial information security risk management actions to adequately respond to risks to Organizational operations and assets, individuals, other organizations, and the Nation. - a process to ensure that plans of action and milestones for the privacy program and associated Organizational systems document remedial privacy risk management actions to adequately respond to risks to Organizational operations and assets, individuals, other organizations, and the Nation. - a process to ensure that plans of action and milestones for the supply chain risk management program and associated Organizational systems document remedial supply chain risk management actions to adequately respond to risks to Organizational operations and assets, individuals, other organizations, and the Nation.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; plans of action and milestones; procedures addressing plans of action and milestones development and maintenance; procedures addressing plans of action and milestones reporting; procedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities; results of risk assessments associated with plans of action and milestones; OMB FISMA reporting requirements; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for plan of action and milestones development, review, maintenance, and reporting; mechanisms supporting plans of action and milestones].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000170.

Control	Description
PM-4	a: Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: 1: Are developed and maintained; 2: Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3: Are reported in accordance with established reporting requirements. b: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Control

Description

PM-4

a: Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
- 1: Are developed and maintained;
- 2: Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
- 3: Are reported in accordance with established reporting requirements.

b: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.