IAO-05: Plan of Action & Milestones (POA&M)
Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.
Control Question: Does the organization generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities?
General (42)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC4.2 CC4.2-POF3 |
| COBIT 2019 | APO12.05 MEA01.05 MEA02.04 |
| COSO 2017 | Principle 17 |
| CSA CCM 4 | A&A-06 |
| GovRAMP Low | CA-05 |
| GovRAMP Low+ | CA-05 |
| GovRAMP Moderate | CA-05 |
| GovRAMP High | CA-05 |
| ISO/SAE 21434 2021 | RQ-09-05 RQ-09-06.a RQ-09-06.b |
| ISO 31000 2009 | 5.6 5.7 |
| ISO 31010 2009 | 5.5 |
| ISO 42001 2023 | 10.2 10.2(a) 10.2(a)(1) 10.2(a)(2) 10.2(b) 10.2(b)(1) 10.2(b)(2) 10.2(b)(3) 10.2(c) 10.2(d) 10.2(e) 9.3.2(a) 9.3.2(b) |
| NIST AI 100-1 (AI RMF) 1.0 | MANAGE 1.1 MANAGE 1.2 MANAGE 1.3 MANAGE 1.4 MANAGE 3.1 MANAGE 4.0 MEASURE 3.0 MEASURE 3.1 MEASURE 3.2 |
| NIST 800-37 R2 | A-6 R-3 |
| NIST 800-39 | 3.2 3.3 3.4 |
| NIST 800-53 R4 | CA-5 PM-4 |
| NIST 800-53 R4 (low) | CA-5 |
| NIST 800-53 R4 (moderate) | CA-5 |
| NIST 800-53 R4 (high) | CA-5 |
| NIST 800-53 R5 (source) | CA-5 PM-4 SA-15(2) |
| NIST 800-53B R5 (privacy) (source) | CA-5 |
| NIST 800-53B R5 (low) (source) | CA-5 |
| NIST 800-53B R5 (moderate) (source) | CA-5 |
| NIST 800-53B R5 (high) (source) | CA-5 |
| NIST 800-53 R5 (NOC) (source) | PM-4 SA-15(2) |
| NIST 800-82 R3 LOW OT Overlay | CA-5 |
| NIST 800-82 R3 MODERATE OT Overlay | CA-5 |
| NIST 800-82 R3 HIGH OT Overlay | CA-5 |
| NIST 800-161 R1 | CA-5 PM-4 |
| NIST 800-161 R1 C-SCRM Baseline | CA-5 |
| NIST 800-161 R1 Level 2 | CA-5 PM-4 |
| NIST 800-161 R1 Level 3 | CA-5 PM-4 |
| NIST 800-171 R2 (source) | 3.12.2 |
| NIST 800-171A (source) | 3.12.2[a] 3.12.2[b] 3.12.2[c] |
| NIST 800-171 R3 (source) | 03.04.11.b 03.12.02.a 03.12.02.a.01 03.12.02.a.02 03.12.02.b 03.12.02.b.01 03.12.02.b.02 03.12.02.b.03 03.14.01.a |
| NIST 800-171A R3 (source) | A.03.12.02.a.01 A.03.12.02.a.02 A.03.12.02.b.01 A.03.12.02.b.02 A.03.12.02.b.03 |
| NIST CSF 2.0 (source) | ID.IM-01 ID.IM-02 ID.RA-01 |
| TISAX ISA 6 | 1.5.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IAO-05 |
| SCF CORE ESP Level 1 Foundational | IAO-05 |
| SCF CORE ESP Level 2 Critical Infrastructure | IAO-05 |
| SCF CORE ESP Level 3 Advanced Threats | IAO-05 |
US (24)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | RISK-2.E.MIL2 RISK-2.F.MIL2 RISK-3.F.MIL2 |
| US CERT RMM 1.2 | EC:SG3.SP2 EF:SG2.SP1 EF:SG2.SP2 EF:SG4.SP3 OPF:SG2.SP2 KIM:SG3.SP2 PM:SG2.SP2 RISK:SG5.SP1 TM:SG3.SP2 |
| US CMMC 2.0 Level 2 (source) | CA.L2-3.12.2 |
| US CMMC 2.0 Level 3 (source) | CA.L2-3.12.2 |
| US CMS MARS-E 2.0 | CA-5 PM-4 |
| US FedRAMP R4 | CA-5 |
| US FedRAMP R4 (low) | CA-5 |
| US FedRAMP R4 (moderate) | CA-5 |
| US FedRAMP R4 (high) | CA-5 |
| US FedRAMP R4 (LI-SaaS) | CA-5 |
| US FedRAMP R5 (source) | CA-5 |
| US FedRAMP R5 (low) (source) | CA-5 |
| US FedRAMP R5 (moderate) (source) | CA-5 |
| US FedRAMP R5 (high) (source) | CA-5 |
| US FedRAMP R5 (LI-SaaS) (source) | CA-5 |
| US HIPAA HICP Large Practice | 9.L.C |
| US IRS 1075 | 2.D.9 2.E.5 CA-5 PM-4 |
| US NERC CIP 2024 (source) | CIP-007-6 2.4 |
| US NISPOM 2020 | 8-311 8-610 |
| US NNPI (unclass) | 4.2 |
| US TSA / DHS 1580/82-2022-01 | III.C.1.b III.C.2 III.C.3 III.E.3 |
| US - TX DIR Control Standards 2.0 | CA-5 PM-4 |
| US - TX TX-RAMP Level 1 | CA-5 |
| US - TX TX-RAMP Level 2 | CA-5 |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.3.1(13)(d) |
| EMEA EU NIS2 | 21.4 |
| EMEA EU NIS2 Annex | 6.5.2(d) |
| EMEA Saudi Arabia OTCC-1 2022 | 1-3-1-6 |
| EMEA UAE NIAF | 3.2 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1564 |
| APAC New Zealand NZISM 3.6 | 4.2.12.C.01 6.3.8.C.01 |
| APAC Singapore MAS TRM 2021 | 4.5.2 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 5.9 |
| Americas Canada ITSP-10-171 | 03.04.11.B 03.12.02.A 03.12.02.A.01 03.12.02.A.02 03.12.02.B 03.12.02.B.01 03.12.02.B.02 03.12.02.B.03 03.14.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.
Level 2 — Planned & Tracked
Information Assurance (IA) is requirements-driven and governed at a local/regional level, but not consistently across the enterprise. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for pre-production cybersecurity and data privacy control testing.
- IT personnel implement and maintain an established a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data privacy control testing.
- IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined
Information Assurance (IA) is standardized across the enterprise and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Cybersecurity personnel implement and maintain an established Information Assurance Program (IAP) capability to conduct “business as usual” pre-production cybersecurity and data privacy control testing focused on the concept of “security and data privacy be design and by default.”
- The IAP validates that systems/applications/services/processes are both secure and compliant.
- A Governance, Risk & Compliance (GRC) function, or similar function, facilitates the implementation of cybersecurity and data protection controls to ensure that secure engineering practices are designed and implemented throughout the lifecycle of systems, applications and services both internal and external to the organization.
- A Project Management Office (PMO), or project management function, ensures project involvement for IAP as part of the organization's established project management processes.
- A Plan of Action and Milestones (POA&M) or similar mechanism, exists to document planned remediation actions to correct weaknesses or deficiencies noted during the assessment of the security controls, helping to reduce or eliminate known vulnerabilities.
- Administrative processes prevent systems/applications/services/processes from “going live” in a production environment without first going through the IAP process.
- The IAP uses a tiered approach to conformity testing, based on (1) the sensitivity of data that is stored, processed and/ or transmitted and (2) the criticality of the system/application/service/process.
Level 4 — Quantitatively Controlled
Information Assurance (IA) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in the review process for proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.
Assessment Objectives
- IAO-05_A01 deficiencies and vulnerabilities to be addressed by the plan of action are identified.
- IAO-05_A02 a plan of action is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.
- IAO-05_A03 the frequency at which to update an existing plan of action based on the findings from control assessments, independent audits or reviews and continuous monitoring activities is defined.
- IAO-05_A04 existing plan of action is updated organization-defined frequency based on the findings from control assessments, independent audits or reviews and continuous monitoring activities.
- IAO-05_A05 a process to ensure the plan of action for the cybersecurity program and associated organizational systems is developed.
- IAO-05_A06 a process to ensure the plan of action for the cybersecurity program and associated organizational systems is maintained.
- IAO-05_A07 a process to ensure the plan of action for the privacy program and associated organizational systems is developed.
- IAO-05_A08 a process to ensure the plan of action for the privacy program and associated organizational systems is maintained.
- IAO-05_A09 a process to ensure the plan of action for the supply chain risk management program and associated organizational systems is developed.
- IAO-05_A10 a process to ensure the plan of action for the supply chain risk management program and associated organizational systems is maintained.
- IAO-05_A11 a process to ensure the plan of action for the cybersecurity program and associated organizational systems documents remedial cybersecurity risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations and the Nation.
- IAO-05_A12 a process to ensure the plan of action for the privacy program and associated organizational systems documents remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations and the Nation.
- IAO-05_A13 a process to ensure the plan of action for the supply chain risk management program and associated organizational systems documents remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations and the Nation.
- IAO-05_A14 a process to ensure the plan of action for the cybersecurity risk management programs and associated organizational systems is reported in accordance with established reporting requirements.
- IAO-05_A15 a process to ensure the plan of action for the privacy risk management programs and associated organizational systems is reported in accordance with established reporting requirements.
- IAO-05_A16 a process to ensure the plan of action for the supply chain risk management programs and associated organizational systems is reported in accordance with established reporting requirements.
- IAO-05_A17 plan of action is reviewed for consistency with the organizational risk management strategy.
- IAO-05_A18 plan of action is reviewed for consistency with organization-wide priorities for risk response actions.
- IAO-05_A19 the developer of the system, system component or system service is required to select and employ security tracking tools for use during the development process.
- IAO-05_A20 the developer of the system, system component or system service is required to select and employ privacy tracking tools for use during the development process.
- IAO-05_A21 the frequency at which to update an existing plan of action based on the findings from control assessments, independent audits or reviews and continuous monitoring activities is defined.
- IAO-05_A22 a plan of action is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.
- IAO-05_A23 existing plan of action is updated per an organization-defined frequency based on the findings from control assessments, independent audits or reviews and continuous monitoring activities.
- IAO-05_A24 a plan of action is developed to document the planned remediation actions for correcting weaknesses or deficiencies noted during security assessments.
- IAO-05_A25 a plan of action is developed to reduce or eliminate known system vulnerabilities.
- IAO-05_A26 the existing plan of action is updated based on the findings from security assessments.
- IAO-05_A27 the existing plan of action is updated based on the findings from audits or reviews.
- IAO-05_A28 the existing plan of action is updated based on the findings from continuous monitoring activities.
- IAO-05_A29 the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
Evidence Requirements
- E-RSK-03 Plan of Actions & Milestones (POA&M) / Risk Register
-
Documented evidence of a POA&M, or risk register, that tracks control deficiencies from identification through remediation.
Risk Management
Technology Recommendations
Micro/Small
- Plan of Action and Milestones (POA&M)
- Risk register
Small
- Plan of Action and Milestones (POA&M)
- Risk register
Medium
- Plan of Action and Milestones (POA&M)
- Risk register
Large
- Plan of Action and Milestones (POA&M)
- Risk register
Enterprise
- Plan of Action and Milestones (POA&M)
- Risk register