PM-4: PLAN OF ACTION AND MILESTONES PROCESS

PROGRAM MANAGEMENT & INDUSTRIAL CONTROL SYSTEMS

• ICS Control Baselines:

• Program Management is baseline independent.

• a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
• b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
• c.

SUPPLEMENTAL GUIDANCE

The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones.

ICS SUPPLEMENTAL GUIDANCE

The plan of action and milestones includes both computational and physical ICS components. Records of observed shortcomings and appropriate remedial action may be maintained in a single document or in multiple coordinated documents (e.g., future engineering plans).

CONTROL ENHANCEMENTS

NO CONTROL ENHANCEMENTS

REFERENCES:

• NIST Special Publication 800-82
• NIST Special Publication 800-37
• OMB Memorandum 02-01