CCI-004325

Implement a process to ensure that plans of action and milestones for the security program and associated organizational systems are reported in accordance with established reporting requirements.

Implementation Guidance

Determine if: - a process to ensure that plans of action and milestones for the information security risk management programs and associated Organizational systems are reported in accordance with established reporting requirements. - a process to ensure that plans of action and milestones for the privacy risk management programs and associated Organizational systems are reported in accordance with established reporting requirements. - a process to ensure that plans of action and milestones for the supply chain risk management programs and associated Organizational systems are reported in accordance with established reporting requirements.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; plans of action and milestones; procedures addressing plans of action and milestones development and maintenance; procedures addressing plans of action and milestones reporting; procedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities; results of risk assessments associated with plans of action and milestones; OMB FISMA reporting requirements; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for plan of action and milestones development, review, maintenance, and reporting; mechanisms supporting plans of action and milestones].

The controls below (if any) were marked by NIST as being related to CCI-004325.