compliance controls are associated with this Policy definition 'Develop POA&M' (477bd136-7dd9-55f8-48ac-bae096b86a07)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-5 |
FedRAMP_High_R4_CA-5 |
FedRAMP High CA-5 |
Security Assessment And Authorization |
Plan Of Action And Milestones |
Shared |
n/a |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.
References: OMB Memorandum 02-01; NIST Special Publication 800-37. |
link |
2 |
| FedRAMP_Moderate_R4 |
CA-5 |
FedRAMP_Moderate_R4_CA-5 |
FedRAMP Moderate CA-5 |
Security Assessment And Authorization |
Plan Of Action And Milestones |
Shared |
n/a |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.
References: OMB Memorandum 02-01; NIST Special Publication 800-37. |
link |
2 |
| hipaa |
0179.05h1Organizational.4-05.h |
hipaa-0179.05h1Organizational.4-05.h |
0179.05h1Organizational.4-05.h |
01 Information Protection Program |
0179.05h1Organizational.4-05.h 05.01 Internal Organization |
Shared |
n/a |
If an independent review identifies that the organization's approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy document, management takes corrective actions. |
|
3 |
| hipaa |
0601.06g1Organizational.124-06.g |
hipaa-0601.06g1Organizational.124-06.g |
0601.06g1Organizational.124-06.g |
06 Configuration Management |
0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Annual compliance reviews are conducted by security or audit individuals using manual or automated tools; if non-compliance is found, appropriate action is taken. |
|
6 |
| hipaa |
0602.06g1Organizational.3-06.g |
hipaa-0602.06g1Organizational.3-06.g |
0602.06g1Organizational.3-06.g |
06 Configuration Management |
0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The results and recommendations of the reviews are documented and approved by management. |
|
10 |
| hipaa |
12102.09ab1Organizational.4-09.ab |
hipaa-12102.09ab1Organizational.4-09.ab |
12102.09ab1Organizational.4-09.ab |
12 Audit Logging & Monitoring |
12102.09ab1Organizational.4-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. |
|
7 |
| hipaa |
1707.03c1Organizational.12-03.c |
hipaa-1707.03c1Organizational.12-03.c |
1707.03c1Organizational.12-03.c |
17 Risk Management |
1707.03c1Organizational.12-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization uses a formal methodology with defined criteria for determining risk treatments and ensuring that corrective action plans for the security program and the associated organizational information systems are prioritized and maintained; and the remedial information security actions necessary to mitigate risk to organizational operations and assets, individuals, and other organizations are documented. |
|
1 |
| hipaa |
1708.03c2Organizational.12-03.c |
hipaa-1708.03c2Organizational.12-03.c |
1708.03c2Organizational.12-03.c |
17 Risk Management |
1708.03c2Organizational.12-03.c 03.01 Risk Management Program |
Shared |
n/a |
A risk treatment plan that identifies risks and nonconformities, corrective actions, resources, responsibilities and priorities for managing information security risks is regularly reviewed and updated. |
|
2 |
| ISO27001-2013 |
C.6.1.1.a |
ISO27001-2013_C.6.1.1.a |
ISO 27001:2013 C.6.1.1.a |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s). |
link |
3 |
| ISO27001-2013 |
C.6.1.1.b |
ISO27001-2013_C.6.1.1.b |
ISO 27001:2013 C.6.1.1.b |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
b) prevent, or reduce, undesired effects. |
link |
3 |
| ISO27001-2013 |
C.6.1.1.c |
ISO27001-2013_C.6.1.1.c |
ISO 27001:2013 C.6.1.1.c |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
c) achieve continual improvement. |
link |
3 |
| ISO27001-2013 |
C.6.1.1.d |
ISO27001-2013_C.6.1.1.d |
ISO 27001:2013 C.6.1.1.d |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed. The organization shall plan:
d) actions to address these risks and opportunities. |
link |
3 |
| ISO27001-2013 |
C.6.1.1.e.1 |
ISO27001-2013_C.6.1.1.e.1 |
ISO 27001:2013 C.6.1.1.e.1 |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed. The organization shall plan:
e) how to
- 1) integrate and implement the actions into its information security management system
processes. |
link |
3 |
| ISO27001-2013 |
C.6.1.3.a |
ISO27001-2013_C.6.1.3.a |
ISO 27001:2013 C.6.1.3.a |
Planning |
Information security risk treatment |
Shared |
n/a |
The organization shall define and apply an information security risk treatment process to:
a) select appropriate information security risk treatment options, taking account of the risk
assessment results;
NOTE Organizations can design controls as required, or identify them from any source.
NOTE 1 AnnexA contains a comprehensive list of control objectives and controls. Users of this International
Standard are directed to Annex A to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
The organization shall retain documented information about the information security risk treatment
process. |
link |
1 |
| ISO27001-2013 |
C.6.1.3.b |
ISO27001-2013_C.6.1.3.b |
ISO 27001:2013 C.6.1.3.b |
Planning |
Information security risk treatment |
Shared |
n/a |
The organization shall define and apply an information security risk treatment process to:
b) determine all controls that are necessary to implement the information security risk treatment
option(s) chosen;
NOTE Organizations can design controls as required, or identify them from any source.
NOTE 1 AnnexA contains a comprehensive list of control objectives and controls. Users of this International
Standard are directed to Annex A to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
The organization shall retain documented information about the information security risk treatment
process. |
link |
1 |
| ISO27001-2013 |
C.6.1.3.c |
ISO27001-2013_C.6.1.3.c |
ISO 27001:2013 C.6.1.3.c |
Planning |
Information security risk treatment |
Shared |
n/a |
The organization shall define and apply an information security risk treatment process to:
c) compare the controls determined in 6.1.3 b) above with those in AnnexA and verify that no necessary
controls have been omitted;
NOTE Organizations can design controls as required, or identify them from any source.
NOTE 1 AnnexA contains a comprehensive list of control objectives and controls. Users of this International
Standard are directed to Annex A to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
The organization shall retain documented information about the information security risk treatment
process. |
link |
1 |
| ISO27001-2013 |
C.6.1.3.e |
ISO27001-2013_C.6.1.3.e |
ISO 27001:2013 C.6.1.3.e |
Planning |
Information security risk treatment |
Shared |
n/a |
The organization shall define and apply an information security risk treatment process to:
e) formulate an information security risk treatment plan; and
NOTE Organizations can design controls as required, or identify them from any source.
NOTE 1 AnnexA contains a comprehensive list of control objectives and controls. Users of this International
Standard are directed to Annex A to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
The organization shall retain documented information about the information security risk treatment
process. |
link |
1 |
| ISO27001-2013 |
C.6.1.3.f |
ISO27001-2013_C.6.1.3.f |
ISO 27001:2013 C.6.1.3.f |
Planning |
Information security risk treatment |
Shared |
n/a |
The organization shall define and apply an information security risk treatment process to:
f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the
residual information security risks.
NOTE Organizations can design controls as required, or identify them from any source.
NOTE 1 AnnexA contains a comprehensive list of control objectives and controls. Users of this International
Standard are directed to Annex A to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
The organization shall retain documented information about the information security risk treatment
process. |
link |
1 |
| ISO27001-2013 |
C.8.1 |
ISO27001-2013_C.8.1 |
ISO 27001:2013 C.8.1 |
Operation |
Operational planning and control |
Shared |
n/a |
The organization shall plan, implement and control the processes needed to meet information security
requirements, and to implement the actions determined in 6.1. The organization shall also implement
plans to achieve information security objectives determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that
the processes have been carried out as planned.
The organization shall control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.
The organization shall ensure that outsourced processes are determined and controlled. |
link |
21 |
| ISO27001-2013 |
C.8.3 |
ISO27001-2013_C.8.3 |
ISO 27001:2013 C.8.3 |
Operation |
Information security risk treatment |
Shared |
n/a |
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security
risk treatment. |
link |
4 |
| ISO27001-2013 |
C.9.3.a |
ISO27001-2013_C.9.3.a |
ISO 27001:2013 C.9.3.a |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
5 |
| ISO27001-2013 |
C.9.3.b |
ISO27001-2013_C.9.3.b |
ISO 27001:2013 C.9.3.b |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
b) changes in external and internal issues that are relevant to the information security management
system.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
| ISO27001-2013 |
C.9.3.c.1 |
ISO27001-2013_C.9.3.c.1 |
ISO 27001:2013 C.9.3.c.1 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 1) nonconformities and corrective actions.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
6 |
| ISO27001-2013 |
C.9.3.c.2 |
ISO27001-2013_C.9.3.c.2 |
ISO 27001:2013 C.9.3.c.2 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 2) monitoring and measurement results.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.12.2 |
NIST_SP_800-171_R2_3.12.2 |
NIST SP 800-171 R2 3.12.2 |
Security Assessment |
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action. |
link |
4 |
| NIST_SP_800-53_R4 |
CA-5 |
NIST_SP_800-53_R4_CA-5 |
NIST SP 800-53 Rev. 4 CA-5 |
Security Assessment And Authorization |
Plan Of Action And Milestones |
Shared |
n/a |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.
References: OMB Memorandum 02-01; NIST Special Publication 800-37. |
link |
2 |
| NIST_SP_800-53_R5 |
CA-5 |
NIST_SP_800-53_R5_CA-5 |
NIST SP 800-53 Rev. 5 CA-5 |
Assessment, Authorization, and Monitoring |
Plan of Action and Milestones |
Shared |
n/a |
a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. |
link |
2 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
| PCI_DSS_v4.0 |
12.4.2.1 |
PCI_DSS_v4.0_12.4.2.1 |
PCI DSS v4.0 12.4.2.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Reviews conducted in accordance with Requirement 12.4.2 are documented to include:
• Results of the reviews.
• Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2.
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. |
link |
7 |