Back

Include the completion date in the corrective action plan.


CONTROL ID
13272
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a corrective action plan., CC ID: 00675

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • timeframe to remediate issues of different severity; and (§ 13.6.1(b), Technology Risk Management Guidelines, January 2021)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-4 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-2 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-3 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • A summary of the corrective action plans for material weaknesses that have not been fully mitigated at the time of reporting must be included in the Agency's AFR, PAR, or other management report. Also see Section VI for reporting on material weaknesses. The summary discussion must include a descript… (Section V (B) ¶ 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • provides a remediation timeline or confirmation that remediation has been completed. (§ 500.17 Notices to Superintendent (b)(1)(ii)(c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)