Link Search Menu Expand Document
NIST SP 800-37

PLAN OF ACTION AND MILESTONES

TASK A-6

Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports.
Potential Inputs: Updated security and privacy assessment reports; updated security and privacy plans; organization- and system-level risk assessment results; organizational risk management strategy and risk tolerance.
Expected Outputs: A plan of action and milestones detailing the findings from the security and privacy assessment reports that are to be remediated.
Primary Responsibility: System Owner; Common Control Provider.
Supporting Roles: Information Owner or Steward; System Security Officer; System Privacy Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Control Assessor; Chief Acquisition Officer.
System Development Life Cycle Phase: New – Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: The plan of action and milestones is included as part of the authorization package. The plan of action and milestones describes the actions that are planned to correct deficiencies in the controls identified during the assessment of the controls and during continuous monitoring. The plan of action and milestones includes tasks to be accomplished with a recommendation for completion before or after system authorization; resources required to accomplish the tasks; milestones established to meet the tasks; and the scheduled completion dates for the milestones and tasks. The plan of action and milestones is reviewed by the authorizing official to ensure there is agreement with the remediation actions planned to correct the identified deficiencies. It is subsequently used to monitor progress in completing the actions. Deficiencies are accepted by the authorizing official as residual risk or are remediated during the assessment or prior to submission of the authorization package to the authorizing official. Plan of action and milestones entries are not necessary when deficiencies are accepted by the authorizing official as residual risk. However, deficiencies identified during assessment and monitoring are documented in the assessment reports, which can be retained within an automated security/privacy management and reporting tool to maintain an effective audit trail. Organizations develop plans of action and milestones based on assessment results obtained from control assessments, audits, and continuous monitoring and in accordance with applicable laws, executive orders, directives, policies, regulations, standards, or guidance.

Organizations implement a consistent process for developing plans of action and milestones that uses a prioritized approach to risk mitigation that is uniform across the organization. A risk assessment guides the prioritization process for items included in the plan of action and milestones. The process ensures that plans of action and milestones are informed by the security categorization of the system and security, privacy, and supply chain risk assessments; the specific deficiencies in the controls; the criticality of the identified control deficiencies (i.e., the direct or indirect effect that the deficiencies may have on the security and privacy posture of the system, and therefore, on the risk exposure of the organization; or the ability of the organization to perform its mission or business functions); and the proposed risk mitigation approach to address the identified deficiencies in the controls (e.g., prioritization of risk mitigation actions and allocation of risk mitigation resources). Risk mitigation resources include, for example, personnel, new hardware or software, and tools.

References: [SP 800-30]; [SP 800-53A]; [SP 800-160 v1] (Verification and Validation Processes); [IR 8062].