← Controls / CA

CA-05 Plan Of Action And Milestones

Security Assessment and Authorization

Low Moderate High Privacy

Description

The organization develops and updates [Assignment: organization-defined frequency], a plan of action and milestones for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.

Supplemental Guidance

The plan of action and milestones is a key document in the security accreditation package developed for the authorizing official and is subject to federal reporting requirements established by OMB. The plan of action and milestones updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. NIST Special Publication 800-37 provides guidance on the security certification and accreditation of information systems. NIST Special Publication 800-30 provides guidance on risk mitigation.

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

10.26.1.38.3

COBIT 2019

APO12BAI11DSS03

CIS Controls v8

CIS 16.3CIS 18.3CIS 7.2CIS 7.7

NIST CSF 2.0

GV.RM-04ID.RA-05ID.RA-06

SOC 2 TSC

CC4.2

CSA CCM v4

AA-04AA-05AA-06CCC-08GRC-04

CSA AICM v1

A&A-04A&A-05A&A-06CCC-08GRC-04

ISO 42001:2023

A.5.3

IEC 62443

2-1 4.4

PRA Operational Resilience

PS6/21-1.1SS1/21-6.2

APRA CPS 234

Para 26

ANSSI

Hygiene.36SecNumCloud.19.1

FINMA Circular 2023/1

IV.B.c(54)IV.B.c(55)IV.D(75)

OSFI B-13

B-13.1.3B-13.1.4

EU GDPR

Art.24(1)Art.32(1)(d)

EU DORA

Art.6(4)

RBI CSF

Annex1.18ITGRCA.26

FISC Security Guidelines

FISC.O7

LGPD + BCB 4893

BCB.Art.18BCB.Art.19LGPD.Art.50

HKMA TM-E-1

TME1.2.6

MLPS 2.0

8.1.7.28.1.9.6

DNB Good Practice

DNB.16.2DNB.4.3

SAMA CSF

1.31.81.92.2

NCA ECC

1-51-8

UAE IA

T2

CBB TM

TM-11TM-16TM-4

Qatar NIA

GVRM

CBUAE

CR-14CR-2

CBE CSF

CRM-1GOV-3

SA JS2

JS2-6.2JS2-9

CBN CSF

Part2.1Part2.2Part6.2

BoG CISD

CISD-COMPCISD-IIICISD-ISMSCISD-IV

BoM CTRM

1.44.3

IOSCO Cyber Resilience

LE-1LE-2

BCBS 239

Principle 12Principle 13

CPMI-IOSCO PFMI

CG.LEPFMI.P3

FFIEC IS

Appendix AII.C.3II.C.4IV.AIV.A.4

NYDFS 500

500.2500.9

HIPAA Security Rule

§164.308(a)(1)(i)§164.308(a)(1)(ii)(B)§164.308(a)(8)

ECB CROE

CROE.2.8.1

EBA ICT Guidelines

3.3.43.3.6

SEBI CSCRF

AUDITGV.OVRC.IMRS.IM

BOT Cyber Resilience

Ch6.1

CMMC 2.0

CA

10 CFR 73.54

RG5.71-C-CA

TSA Pipeline SD

SD-1 Sec 4SD-2 Sec E

API 1164

Sec 15

IAEA NSS 17-T

Sec 11

CBEST

CBEST.10CBEST.6CBEST.7

TIBER-EU

TIBER.CLOSETIBER.REM

PCI HSM

10

ISAE 3402

Clause 10Clause 2Clause 5

Solvency II

Art.45Art.46Art.47

NAIC Insurance Data Security

44A4E

PRA SS1/23

P4.5P5.1

FCA SYSC 13

SYSC 13.5.3

HITRUST CSF v11

00.b03.b06.c

FDA Cybersecurity Guidance

CRA-3VR-2

ISO 27799

18.3

NHS DSPT

NDG-5.1NDG-6.4

Basel SCO60

SCO60.74SCO60.82SCO60.85

BSSC Standards

KMS-07

ISO 17799 (legacy)

15.2.1

COBIT 4.1 (legacy)

ME2.7