CCI-000266

The organization updates, on an organization-defined frequency, the existing plan of action and milestones for the information system based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

Implementation Guidance

The organization being inspected/assessed will update the POA&M at least every 90 days. The updates are to be based upon the assessment of the identified vulnerabilities and weaknesses, prioritization of the vulnerabilities and weaknesses, progress being made in addressing and resolving the security weaknesses and vulnerabilities found in programs and systems, and continuous monitoring activities. DoD has defined the frequency as at least every 90 days.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines current POA&M. The objective is to validate the organization is providing updates to the POA&M at least every 90 days. Review of POA&M without change must be documented (i.e., adding review date to the POA&M header information). DoD has defined the frequency as at least every 90 days.

Compelling Evidence

1.) Signed and dated Security Plan of Action and Milestones document with verification of document changes within

The controls below (if any) were marked by NIST as being related to CCI-000266.