Navigate

CCI-002993

CCI-002993 Definition

The organization reviews plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to review plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. The organization must maintain a record of reviews.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reviews to ensure the organization being inspected/assessed reviews plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Compelling Evidence

1.) Signed and dated plan of action and milestones (POA&M). 2.) Record of reviews.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002993.

Control	Description
PM-4	The organization: PM-4a.: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: PM-4a.1.: Are developed and maintained; PM-4a.2.: Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and PM-4a.3.: Are reported in accordance with OMB FISMA reporting requirements. PM-4b.: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Control

Description

PM-4

The organization:

PM-4a.: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
- PM-4a.1.: Are developed and maintained;
- PM-4a.2.: Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
- PM-4a.3.: Are reported in accordance with OMB FISMA reporting requirements.

PM-4b.: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.