NIST 800-171 Control 3.12.2: Develop and Implement Plans of Action
Control 3.12.2 requires organizations to create formal plans of action (POA&M) that address identified security deficiencies and vulnerabilities. This control bridges the gap between vulnerability identification and remediation, ensuring systematic risk reduction across your systems. For compliance professionals, a mature POA&M process demonstrates accountability and continuous improvement to auditors.
What this means
Organizations must develop documented, actionable plans designed to correct identified security deficiencies and systematically reduce or eliminate vulnerabilities in systems that process controlled unclassified information (CUI). These plans must include specific remediation steps, responsible parties, target completion dates, and resource requirements. The control emphasizes not just planning but active implementation and tracking of corrective actions until deficiencies are resolved.
How to comply
- 1.Establish a formal process for identifying and documenting security deficiencies through assessments, audits, and vulnerability scans
- 2.Create a Plan of Action & Milestones (POA&M) template that includes: description of deficiency, remediation approach, responsible party, start/end dates, and resource requirements
- 3.Prioritize deficiencies by risk level, considering impact and likelihood of exploitation
- 4.Assign accountability for each corrective action with clear ownership and decision authority
- 5.Define measurable milestones and completion criteria for each remediation step
- 6.Track implementation progress through regular status updates and management review
- 7.Close deficiencies only when evidence confirms the vulnerability has been eliminated or mitigated to acceptable risk levels
- 8.Maintain historical records of all POA&M entries, changes, and closure documentation
Evidence auditors look for
- Documented Plan of Action & Milestones (POA&M) with current and historical entries
- Vulnerability assessment reports linked to POA&M deficiency descriptions
- Evidence of remediation activities (patches applied, configuration changes, compensating controls implemented)
- Closure documentation with verification that deficiencies have been resolved
- Management review records showing oversight of POA&M progress and status updates
- Risk assessments justifying postponed or alternate remediation approaches
- Roles and responsibilities documentation for POA&M ownership and oversight
- System access logs or change records confirming implementation of corrective actions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates POA&M creation and tracking by linking vulnerability scan data directly to remediation workflows, eliminating manual spreadsheet management and ensuring no deficiency falls through the cracks.
See how GRCWatch handles this control automatically
Start free trial