Skip to main content
NetStable
Level 2 CA.L2-3.12.2

Develop and implement plans of action designed to correct deficiencies and reduce vulnerabilities

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

πŸ“– What This Means

This practice requires organizations to create and execute Plans of Action and Milestones (POA&Ms) to address identified security weaknesses and reduce vulnerabilities. Essentially, when a security assessment or vulnerability scan reveals issues, you need a structured plan to fix them. This plan should outline what needs to be done, who is responsible, and when it will be completed. For example, if a server is found to have outdated software, the POA&M would detail the steps to update it, assign the task to the IT team, and set a deadline. This ensures that vulnerabilities are not just identified but actively resolved, maintaining a strong security posture.

🎯 Why It Matters

Failing to address vulnerabilities can lead to data breaches, system compromises, and regulatory penalties. For instance, the Equifax breach in 2017 was caused by an unpatched vulnerability, resulting in the exposure of 147 million records and costing the company over $1.4 billion. From the DoD/CMMC perspective, this control is critical because it ensures that defense contractors continuously improve their security measures, reducing the risk of sensitive defense information being compromised. It’s not just about finding problems but ensuring they are systematically fixed to protect Controlled Unclassified Information (CUI).

βœ… How to Implement

  1. Identify vulnerabilities using cloud-native tools like AWS Inspector, Azure Security Center, or GCP Security Command Center.
  2. Create a POA&M document in your cloud’s project management tool (e.g., Jira, Trello) or spreadsheet.
  3. Assign remediation tasks to specific team members with clear deadlines.
  4. Use cloud automation tools (e.g., AWS Systems Manager, Azure Automation) to apply patches or updates.
  5. Monitor progress through dashboards in your cloud provider’s security console.
  6. Conduct follow-up scans to verify issues are resolved.
  7. Document all actions in your POA&M and update your security policies as needed.
⏱️
Estimated Effort
Initial setup: 8-16 hours (Intermediate skill). Ongoing maintenance: 2-4 hours per month (Basic skill).

πŸ“‹ Evidence Examples

POA&M Document

Format: Excel/PDF
Frequency: Update weekly or after each vulnerability scan.
Contents: List of vulnerabilities, remediation steps, responsible parties, deadlines, and status updates.
Collection: Export from vulnerability scanning tool or manually create using a template.

Vulnerability Scan Report

Format: PDF/CSV
Frequency: After each scan (monthly or quarterly).
Contents: Detailed findings from scans, including severity levels and affected systems.
Collection: Export from scanning tool.

Remediation Records

Format: Excel/PDF
Frequency: After each remediation task.
Contents: Proof of actions taken (e.g., patch logs, configuration change tickets).
Collection: Export from ticketing system or manually document.

Security Policy Update

Format: Word/PDF
Frequency: As needed, after major changes.
Contents: Revised policies reflecting changes made to address vulnerabilities.
Collection: Save updated policy documents.

Training Records

Format: Excel/PDF
Frequency: Annually or after new hires.
Contents: Evidence of staff training on vulnerability management and POA&M processes.
Collection: Maintain attendance sheets or training logs.

πŸ“ SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CA.L2-3.12.2 ("Develop and implement plans of action designed to correct deficiencies and reduce vulnerabilities"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your security assessment program, SSP maintenance process, continuous monitoring capabilities, and penetration testing schedule. Reference specific tools and responsible parties. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CA.L2-3.12.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to develop and implement plans of action designed to correct deficiencies and reduc.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CA.L2-3.12.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to develop and implement plans of action designed to correct deficiencies and reduc.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CA.L2-3.12.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • β€’ Define the assessment boundary (which systems are in scope)
  • β€’ Document assessment methodology and tools
  • β€’ Identify assessors (internal team, external firm)
  • β€’ Ensure this control covers all systems within your defined CUI boundary where develop and implement plans of action designed to correct deficiencies and reduce vulnerabilities applies
  • β€’ Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • πŸ“„ Security Assessment Policy
  • πŸ“„ System Security Plan (SSP)
  • πŸ“„ Plan of Action & Milestones (POA&M)
  • πŸ“„ Assessment reports
  • πŸ“„ Evidence artifacts specific to CA.L2-3.12.2
  • πŸ“„ POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review your SSP for completeness, verify POA&M items are being tracked and remediated, and check that assessments are conducted at the required frequency.

πŸ’¬ Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Have you conducted a recent vulnerability scan?

βœ… YES β†’ Proceed to Q2
❌ NO β†’ GAP: Conduct a scan using Nessus, Qualys, or OpenVAS within 2 weeks.
Remediation:
Schedule and complete a vulnerability scan.

Question 2: Have you documented identified vulnerabilities in a POA&M?

βœ… YES β†’ Proceed to Q3
❌ NO β†’ GAP: Create a POA&M document using a template and include all findings.
Remediation:
Use a POA&M template to document vulnerabilities and remediation plans.

Question 3: Have you assigned remediation tasks to specific team members?

βœ… YES β†’ Proceed to Q4
❌ NO β†’ GAP: Assign tasks with deadlines using a ticketing system or spreadsheet.
Remediation:
Assign and track remediation tasks.

Question 4: Have you verified that vulnerabilities have been mitigated?

βœ… YES β†’ Proceed to Q5
❌ NO β†’ GAP: Rescan affected systems to confirm fixes.
Remediation:
Conduct follow-up scans and update POA&M.

Question 5: Is your POA&M updated and maintained for audits?

βœ… YES β†’ Compliant
❌ NO β†’ GAP: Ensure POA&M is regularly updated and accessible for audit purposes.
Remediation:
Maintain POA&M records and update after each scan.

⚠️ Common Mistakes (What Auditors Flag)

1. Incomplete POA&M documentation

Why this happens: Teams often focus on fixing issues but forget to document actions.
How to avoid: Use a standardized POA&M template and assign someone to maintain it.

2. Failure to prioritize vulnerabilities

Why this happens: Teams may try to fix all issues at once, leading to delays.
How to avoid: Use risk-based prioritization (critical, high, medium, low).

3. Lack of follow-up scans

Why this happens: Teams assume vulnerabilities are fixed without verification.
How to avoid: Conduct rescanning after remediation to confirm fixes.

4. Unassigned or unclear responsibilities

Why this happens: Tasks are not clearly assigned, leading to delays.
How to avoid: Use a ticketing system to assign tasks with deadlines.

5. Outdated security policies

Why this happens: Policies are not updated to reflect changes made.
How to avoid: Review and update policies after major remediation efforts.

πŸ“š Parent Policy

This practice is governed by the Assessment, Authorization, and Monitoring Policy

View CA Policy β†’

πŸ“š Related Controls

CA.L2-3.12.1 - Perform security impact analyses CA.L2-3.12.3 - Monitor security controls on an ongoing basis RA.L2-3.11.1 - Identify and document vulnerabilities
Previous
CA.L2-3.12.1
Back to CA
Next
CA.L2-3.12.3