PM-4 Plan of Action and Milestones Process

Description

The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB.

With the increasing emphasis on organization wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization.

Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones.

Applicability

Texas Administrative Code, Chapter 202 [TAC 202] assigns responsibility for the protection of information resources to the President of the University.

For the purposes of this Control, the authority and responsibility regarding the university’s compliance with TAC 202 have been delegated by the President to the Chief Information Officer (CIO).

Implementation

TAMU-CC develops and updates, a plan of action and milestone process for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls in order to reduce or eliminate known vulnerabilities in the system:

  1. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
    1. Are developed and maintained;
    2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the nation; and
    3. Are reported in accordance with OMB FISMA reporting requirements.
  2. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events