compliance controls are associated with this Policy definition 'Update POA&M items' (cc057769-01d9-95ad-a36f-1e62a7f9540b)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CA-5 |
FedRAMP_High_R4_CA-5 |
FedRAMP High CA-5 |
Security Assessment And Authorization |
Plan Of Action And Milestones |
Shared |
n/a |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.
References: OMB Memorandum 02-01; NIST Special Publication 800-37. |
link |
2 |
FedRAMP_Moderate_R4 |
CA-5 |
FedRAMP_Moderate_R4_CA-5 |
FedRAMP Moderate CA-5 |
Security Assessment And Authorization |
Plan Of Action And Milestones |
Shared |
n/a |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.
References: OMB Memorandum 02-01; NIST Special Publication 800-37. |
link |
2 |
hipaa |
0601.06g1Organizational.124-06.g |
hipaa-0601.06g1Organizational.124-06.g |
0601.06g1Organizational.124-06.g |
06 Configuration Management |
0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Annual compliance reviews are conducted by security or audit individuals using manual or automated tools; if non-compliance is found, appropriate action is taken. |
|
6 |
hipaa |
0602.06g1Organizational.3-06.g |
hipaa-0602.06g1Organizational.3-06.g |
0602.06g1Organizational.3-06.g |
06 Configuration Management |
0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The results and recommendations of the reviews are documented and approved by management. |
|
10 |
hipaa |
12102.09ab1Organizational.4-09.ab |
hipaa-12102.09ab1Organizational.4-09.ab |
12102.09ab1Organizational.4-09.ab |
12 Audit Logging & Monitoring |
12102.09ab1Organizational.4-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. |
|
7 |
hipaa |
1708.03c2Organizational.12-03.c |
hipaa-1708.03c2Organizational.12-03.c |
1708.03c2Organizational.12-03.c |
17 Risk Management |
1708.03c2Organizational.12-03.c 03.01 Risk Management Program |
Shared |
n/a |
A risk treatment plan that identifies risks and nonconformities, corrective actions, resources, responsibilities and priorities for managing information security risks is regularly reviewed and updated. |
|
2 |
ISO27001-2013 |
C.10.1.d |
ISO27001-2013_C.10.1.d |
ISO 27001:2013 C.10.1.d |
Improvement |
Nonconformity and corrective action |
Shared |
n/a |
When a nonconformity occurs, the organization shall:
d) review the effectiveness of any corrective action taken. |
link |
1 |
ISO27001-2013 |
C.10.1.e |
ISO27001-2013_C.10.1.e |
ISO 27001:2013 C.10.1.e |
Improvement |
Nonconformity and corrective action |
Shared |
n/a |
When a nonconformity occurs, the organization shall:
e) make changes to the information security management system, if necessary. |
link |
1 |
ISO27001-2013 |
C.10.1.f |
ISO27001-2013_C.10.1.f |
ISO 27001:2013 C.10.1.f |
Improvement |
Nonconformity and corrective action |
Shared |
n/a |
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of:
f) the nature of the nonconformities and any subsequent actions taken. |
link |
3 |
ISO27001-2013 |
C.10.1.g |
ISO27001-2013_C.10.1.g |
ISO 27001:2013 C.10.1.g |
Improvement |
Nonconformity and corrective action |
Shared |
n/a |
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of:
g) the results of any corrective action. |
link |
3 |
ISO27001-2013 |
C.6.1.1.e.2 |
ISO27001-2013_C.6.1.1.e.2 |
ISO 27001:2013 C.6.1.1.e.2 |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed. The organization shall plan:
e) how to
- 2) evaluate the effectiveness of these actions. |
link |
3 |
ISO27001-2013 |
C.8.1 |
ISO27001-2013_C.8.1 |
ISO 27001:2013 C.8.1 |
Operation |
Operational planning and control |
Shared |
n/a |
The organization shall plan, implement and control the processes needed to meet information security
requirements, and to implement the actions determined in 6.1. The organization shall also implement
plans to achieve information security objectives determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that
the processes have been carried out as planned.
The organization shall control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.
The organization shall ensure that outsourced processes are determined and controlled. |
link |
21 |
ISO27001-2013 |
C.8.3 |
ISO27001-2013_C.8.3 |
ISO 27001:2013 C.8.3 |
Operation |
Information security risk treatment |
Shared |
n/a |
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security
risk treatment. |
link |
4 |
ISO27001-2013 |
C.9.3.a |
ISO27001-2013_C.9.3.a |
ISO 27001:2013 C.9.3.a |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
5 |
ISO27001-2013 |
C.9.3.b |
ISO27001-2013_C.9.3.b |
ISO 27001:2013 C.9.3.b |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
b) changes in external and internal issues that are relevant to the information security management
system.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
ISO27001-2013 |
C.9.3.c.1 |
ISO27001-2013_C.9.3.c.1 |
ISO 27001:2013 C.9.3.c.1 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 1) nonconformities and corrective actions.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
6 |
ISO27001-2013 |
C.9.3.c.2 |
ISO27001-2013_C.9.3.c.2 |
ISO 27001:2013 C.9.3.c.2 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 2) monitoring and measurement results.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
ISO27001-2013 |
C.9.3.c.3 |
ISO27001-2013_C.9.3.c.3 |
ISO 27001:2013 C.9.3.c.3 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 3) audit results.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
ISO27001-2013 |
C.9.3.c.4 |
ISO27001-2013_C.9.3.c.4 |
ISO 27001:2013 C.9.3.c.4 |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
c) feedback on the information security performance, including trends in:
- 4) fulfilment of information security objectives;
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
4 |
ISO27001-2013 |
C.9.3.d |
ISO27001-2013_C.9.3.d |
ISO 27001:2013 C.9.3.d |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
d) feedback from interested parties;
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
3 |
ISO27001-2013 |
C.9.3.e |
ISO27001-2013_C.9.3.e |
ISO 27001:2013 C.9.3.e |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
e) results of risk assessment and status of risk treatment plan; and
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
3 |
ISO27001-2013 |
C.9.3.f |
ISO27001-2013_C.9.3.f |
ISO 27001:2013 C.9.3.f |
Performance Evaluation |
Management review |
Shared |
n/a |
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
f) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews. |
link |
3 |
NIST_SP_800-171_R2_3 |
.12.2 |
NIST_SP_800-171_R2_3.12.2 |
NIST SP 800-171 R2 3.12.2 |
Security Assessment |
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action. |
link |
4 |
NIST_SP_800-53_R4 |
CA-5 |
NIST_SP_800-53_R4_CA-5 |
NIST SP 800-53 Rev. 4 CA-5 |
Security Assessment And Authorization |
Plan Of Action And Milestones |
Shared |
n/a |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.
References: OMB Memorandum 02-01; NIST Special Publication 800-37. |
link |
2 |
NIST_SP_800-53_R5 |
CA-5 |
NIST_SP_800-53_R5_CA-5 |
NIST SP 800-53 Rev. 5 CA-5 |
Assessment, Authorization, and Monitoring |
Plan of Action and Milestones |
Shared |
n/a |
a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. |
link |
2 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
PCI_DSS_v4.0 |
12.4.2.1 |
PCI_DSS_v4.0_12.4.2.1 |
PCI DSS v4.0 12.4.2.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Reviews conducted in accordance with Requirement 12.4.2 are documented to include:
• Results of the reviews.
• Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2.
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. |
link |
7 |