CMMC Practice CA.2.159: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
When you write a plan of action, you should define the clear goal or objective of the plan. You may include the following in the action plan:
- ownership of who is accountable for ensuring the plan’s performance;
- specific steps or milestones that are clear and actionable;
- assigned responsibility for each step or milestone;
- milestones to measure plan progress; and
- completion dates.
Note that receiving Cybersecurity Maturity Model Certification requires all practices and processes to be implemented at the time of assessment. Any security requirements that were part of a plan of action must be closed/met in order to be granted the CMMC assessment.