Navigate

CCI-002993

CCI-002993 Definition

Review plans of action and milestones for the security program and associated organization systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - plans of action and milestones are reviewed for consistency with the Organizational risk management strategy. - plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; plans of action and milestones; procedures addressing plans of action and milestones development and maintenance; procedures addressing plans of action and milestones reporting; procedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities; results of risk assessments associated with plans of action and milestones; OMB FISMA reporting requirements; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for plan of action and milestones development, review, maintenance, and reporting; mechanisms supporting plans of action and milestones].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002993.

Control	Description
PM-4	a: Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: 1: Are developed and maintained; 2: Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3: Are reported in accordance with established reporting requirements. b: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Control

Description

PM-4

a: Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
- 1: Are developed and maintained;
- 2: Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
- 3: Are reported in accordance with established reporting requirements.

b: Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.