Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: CA

Level Introduced: 2

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

CMMC Clarification:
When you write a plan of action, you should define the clear goal or objective of the plan. You may include the following in the action plan:
• ownership of who is accountable for ensuring the plan’s performance;
• specific steps or milestones that are clear and actionable;
• assigned responsibility for each step or milestone;
• milestones to measure plan progress; and
• completion dates.
Note that receiving Cybersecurity Maturity Model Certification requires all practices and processes to be implemented at the time of assessment. Any security requirements that were part of a plan of action must be closed/met in order to be granted the CMMC assessment.

Example 1
You are in charge of IT operations in your organization. Your job is to develop action plans when you discover that your company isn’t meeting security requirements. One of your sources of information is the output of vulnerability scans on your network. When you receive notification of a vulnerability that needs fixing, you develop a plan to fix it. Your plan identifies the person responsible for fixing it, how to do it, and when to do it. You will also define how to measure that the person responsible has fixed the vulnerability. You document this in a plan of action.

Example 2
A company that is CMMC L1 compliant seeks L3 compliance. The IT department tracks the implementation of the additional security requirements needed for L3 in an action plan and realizes that it will be more than 6 months before CMMC L3 requirements can be met. Company officials refer to the action plan that indicates that CMMC L2 requirements are currently met and decide to pursue CMMC L2 compliance instead of L3 and seek L3 certification next year.


Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.

Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action.

Source: NIST Special Publication 800-171 Rev. 2



The organization:
    a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
    b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

Supplemental Guidance:
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02