Description
a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems are maintained and document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Supplemental Guidance
The plan of action and milestones is a key organizational document and is subject to reporting requirements established by OMB. Organizations develop plans of action and milestones with an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level and the organization level.
Changes from Rev 4
Privacy and supply chain risk management added. Review of POA&M consistency with risk management strategy added.