Back

Establish, implement, and maintain a corrective action plan.


CONTROL ID
00675
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Align corrective actions with the level of environmental impact., CC ID: 15193
  • Include risks and opportunities in the corrective action plan., CC ID: 15178
  • Include environmental aspects in the corrective action plan., CC ID: 15177
  • Include the completion date in the corrective action plan., CC ID: 13272
  • Include monitoring in the corrective action plan., CC ID: 11645


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Standard § II.3(5): Material weaknesses and control deficiencies that are identified during management's assessment should be recognized on a timely basis and taken care of. When material weaknesses have been identified, internal control over financial reporting can still be determined to be effect… (Standard § II.3(5), Practice Standard § II.3(5)[1], Practice Standard § III.4(3)[2], Practice Standard § III.4(3)[3], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of th… (Article 27(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Under CPS 234, an APRA-regulated entity must notify APRA of information security control weaknesses meeting specified criteria. An APRA-regulated entity would typically escalate material control weaknesses to the relevant governing bodies or individuals and formulate a remediation strategy. (89., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. (3.4.6 46, Final Report EBA Guidelines on ICT and security risk management)
  • Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important functi… (4.14 105, Final Report on EBA Guidelines on outsourcing arrangements)
  • Where nonconformities are identified, has the organization put in place appropriate processes for managing nonconformities and the related corrective actions? (Performance evaluation ¶ 10, ISO 22301: Self-assessment questionnaire)
  • Have actions to control, correct and deal with the consequences of nonconformities been identified? (Improvement ¶ 1, ISO 22301: Self-assessment questionnaire)
  • implement follow-up action if appropriate, which may involve a firm: (§ 5.15 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • (¶ 4.35, Smith Guidance on Audit Committees, UK FRC, January 2003)
  • Identify and initiate remedial actions based on performance monitoring, assessment and reporting. This includes follow-up of all monitoring, reporting and assessments through: - Review, negotiation and establishment of management responses - Assignment of responsibility for remediation - Tracking of… (ME1.6 Remedial Actions, CobiT, Version 4.1)
  • Identify, initiate, track and implement remedial actions arising from control assessments and reporting. (ME2.7 Remedial Actions, CobiT, Version 4.1)
  • Develop senior management reports on IT's contribution to the business, specifically in terms of the performance of the enterprise's portfolio, IT-enabled investment programmes, and the solution and service deliverable performance of individual programmes. Include in status reports the extent to whi… (ME1.5 Board and Executive Reporting, CobiT, Version 4.1)
  • Add processes and policies that will regularly read and act on the data provided by the IDS/IPS. (§ 4.3.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (PCI DSS Question 10.6.3(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (PCI DSS Question 10.6.3(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is follow up to exceptions and anomalies identified during the review process performed? (PCI DSS Question 10.6.3(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization must develop, implement, and maintain procedures to handle nonconformity, both actual and potential, and for taking preventive and corrective actions. The procedures must define the requirements for identifying and correcting nonconformity and necessary actions to mitigate its impac… (§ 4.5.3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence. (A&A-05, Cloud Controls Matrix, v4.0)
  • Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. (CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process, CIS Controls, V8)
  • The organization shall establish a process for tracking all preventive actions and corrective actions until they are corrected. (§ 4.6.2 ¶ 1(c), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • deal with the consequences, including mitigating adverse environmental impacts; (§ 10.2 ¶ 1 a) 2), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. (§ 10.1 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization should retain documented information as evidence of the nature of the nonconformities and subsequent actions taken, and the results of corrective actions taken. (10.2 ¶ 8, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Based on the area(s) an organization has selected to improve, it should assess which maturity level is necessary for each of the EMS elements to achieve the intended outcomes. It should then determine the gap between the required maturity levels and the existing ones, guided by the maturity matrix (… (§ 6.5 ¶ 1, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • if there were delays or other deviations from the action plan; (§ 6.7 ¶ 2 Bullet 5, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The action plan should be implemented and monitored with regard to timescales, achievement of milestone results and resource use. Appropriate actions should be taken, where necessary, to ensure that the improvement actions progress according to the plan. (§ 6.6 ¶ 2, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • set timescales; (§ 6.6 ¶ 1 Bullet 7, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered. (§ 10.1.2 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall act on the results of its exercising and testing to implement changes and improvements. (§ 8.5 ¶ 3, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • nonconformities and corrective actions; (§ 9.3.2 ¶ 1 c) 1), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • take appropriate action relating to those results. (§ 9.3.3.2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall determine opportunities for improvement and implement necessary actions to achieve the intended outcomes of its BCMS. (§ 10.1.1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall use the outcomes of investigations for the improvement of the compliance management system as appropriate (see Clause 10). (§ 8.4 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • nonconformities, noncompliances and corrective actions; (§ 9.3.2 ¶ 1 d) bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall use the outcome of investigations for the improvement (see Clause 10) of the compliance management system as appropriate. (§ 8.4 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • nonconformities and corrective actions; (§ 9.3 ¶ 2(c)(1), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall monitor and review the effectiveness of information security controls and take necessary actions. (§ 8.7.3.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • If the outcome of the audit includes nonconformities, the auditee should prepare an action plan for each nonconformity to be agreed with the audit team leader. A follow-up action plan typically includes: (§ 9.2 Guidance ¶ 15, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • plan the corrective actions, giving priority, if possible, to areas where there are higher likelihood of recurrence and more significant consequences of the nonconformity. Planning should include a responsible person for a corrective action and a deadline for implementation; (§ 10.1 Guidance ¶ 4(6), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Some organizations maintain registers for tracking nonconformities and corrective actions. There can be more than one register (for example, one for each functional area or process) and on different media (paper, file, application, etc.). If this is the case, then they should be established and cont… (§ 10.1 Guidance ¶ 7, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. (Task M-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The organization establishes a process to prioritize and remedy issues identified through vulnerability scanning. (PR.IP-12.2, CRI Profile, v1.2)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-2 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-3 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset. (Attachment 1 Section 5. 5.2 5.2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Are all issues identified in the vulnerability assessment documented and tracked to remediation? (§ G.10.2.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified in the vulnerability scan documented and tracked to remediation? (§ G.10.2.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified in the vulnerability assessment documented and tracked to remediation? (§ G.10.3.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified in the vulnerability scan documented and tracked to remediation? (§ G.10.3.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified by the internal network penetration test documented and tracked to remediation? (§ G.10.4.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified by the external network penetration test documented and tracked to remediation? (§ G.10.5.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Each agency must develop, document, and implement an information security program agency wide that includes processes for planning, implementing, evaluating, and documenting any remedial actions. The head of each agency shall submit to the Director of the Office of Management and Budget the results … (§ 3544(b)(6), § 3545(e), Federal Information Security Management Act of 2002)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.L2-3.12.2 Plan of Action, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • A medical device manufacturer shall establish and maintain procedures to implement corrective and preventive actions. The procedures shall include requirements for analyzing work operations, quality audit reports, processes, concessions, service and quality records, returned products, complaints, an… (§ 820.100, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Establishing a provision for management intervention if timeliness for corrective action is not met. (App A Objective 2:4g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implementation of corrective action plans when KPIs do not meet established targets. (VI.D Action Summary ¶ 2 Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Discuss corrective action and communicate findings. (App A Objective 18, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements corrective action plans to address deviations or negative trends, assigns individuals responsible, and monitors progress to completion. (App A Objective 17:2f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Developing longer-term action plans to monitor and address issues. (App A Objective 16:4b Bullet 10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Discuss examination findings with management and obtain proposed corrective action for significant deficiencies. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:5, FFIEC IT Examination Handbook - Audit, April 2012)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Has management developed resolutions to the identified problems? (IT - Servers Q 26, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • For audit trails to be reviewed in order to implement the appropriate controls is called for. (§ 3.13.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure a plan of action and milestones have been documented and are updated regularly, the organization follows the plan by correcting deficiencies and meeting milestones, and specific responsibilities and actions are defined for the impleme… (CA-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. (PM-11b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. (3.12.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (3.12.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (3.12.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must establish and maintain a Plan of Action and Milestones for the security program and associated Information Systems, which includes remedial actions to mitigate risk to operations, assets, individuals, other organizations, and the nation. (App G § PM-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must plan and start any necessary corrective actions by developing a Plan of Action and Milestones for the deficiencies or weaknesses that have not been immediately corrected and for implementing security control upgrades or additional controls when an event occurs that triggers the… (§ 3.4 ¶ 2 Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated mechanisms to help ensure the Plan of Action and Milestones is accurate, up to date, and readily available. (App F § CA-5(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. (CA-5(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. (CA-5(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. (PM-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. (CA-5(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Response actions to address results of the analysis of security-related information; and (CA-7g., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. (PM-11b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • All of the organization's deficiencies should be corrected if they are cost beneficial. A plan should be developed to correct these deficiencies in a timely manner and to track the status of the deficiencies. (Pg 22, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • All personnel of the organization should be encouraged to identify and report deficiencies up the chain of command. The upper-level managers should decide on the importance of the deficiencies. Management should track all corrective actions and the resolution of the deficiencies. Management should a… (§ IV.B, § V, App A § VI, OMB Circular A-123, Management's Responsibility for Internal Control)
  • § A.5.a: The organization shall correct all deficiencies that were identified during the independent security reviews for the general support systems and the major applications. § A.5.b: Deficiencies that are identified as less significant shall be reported and corrective action shall be tracked a… (§ A.5.a, § A.5.b, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., TX-RAMP Security Controls Baseline Level 1)
  • Updates existing plan of action and milestones [TX-RAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., TX-RAMP Security Controls Baseline Level 1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., TX-RAMP Security Controls Baseline Level 2)
  • Updates existing plan of action and milestones [TX-RAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., TX-RAMP Security Controls Baseline Level 2)