Navigate

CA-5

CA-5: Plan Of Action And Milestones

The organization:

CA-5a.: Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

CA-5b.: Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

Supplemental

Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to CA-5.

Control	Description
CA-2	The organization: CA-2a.: Develops a security assessment plan that describes the scope of the assessment including: CA-2a.1.: Security controls and control enhancements under assessment; CA-2a.2.: Assessment procedures to be used to determine security control effectiveness; and CA-2a.3.: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-2c.: Produces a security assessment report that documents the results of the assessment; and CA-2d.: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7a.: Establishment of [Assignment: organization-defined metrics] to be monitored; CA-7b.: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7c.: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; CA-7d.: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; CA-7e.: Correlation and analysis of security-related information generated by assessments and monitoring; CA-7f.: Response actions to address results of the analysis of security-related information; and CA-7g.: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CM-4	The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
PM-4	The organization: PM-4a.: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: PM-4a.1.: Are developed and maintained; PM-4a.2.: Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and PM-4a.3.: Are reported in accordance with OMB FISMA reporting requirements. PM-4b.: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Enhancements

The controls below (if any) add on to the requirements of CA-5.

Control	Description
CA-5 (1)	The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available.

Related CCIs

The CCIs below are tied to CA-5.

CCI	Definition
CCI-000264	The organization develops a plan of action and milestones for the information system to document the organization^s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
CCI-000265	The organization defines the frequency with which to update the existing plan of action and milestones for the information system.
CCI-000266	The organization updates, on an organization-defined frequency, the existing plan of action and milestones for the information system based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.