>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CA-5Plan of Action and Milestones

LI-SaaS
Low
Moderate
High

>Control Description

a

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

b

Update existing plan of action and milestones organization-defined frequency based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

>FedRAMP Baseline Requirements

Parameter Values

b
at least monthly

Additional Requirements and Guidance

CA-5 Requirement: POA&Ms must be provided at least monthly. CA-5 Guidance: Reference FedRAMP-POAM-Template

>Discussion

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

>Cross-Framework Mappings

SCF

IAO-05
Compare

>Programmatic Queries

Beta

Related Services

AWS Security Hub
AWS Audit Manager
AWS Config

CLI Commands

List Security Hub findings by compliance status
aws securityhub get-findings --filters '{"ComplianceStatus":[{"Value":"FAILED","Comparison":"EQUALS"}]}'
List active Audit Manager assessments
aws auditmanager list-assessments --status ACTIVE
Get non-compliant Config rules
aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT
Export findings for POA&M tracking
aws securityhub get-findings --filters '{"WorkflowStatus":[{"Value":"NEW","Comparison":"EQUALS"}]}' --max-items 100
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

ServiceNow

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CA-5 (Plan Of Action And Milestones)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CA-5?
  • How frequently is the CA-5 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CA-5?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CA-5 requirements.
  • What automated tools, systems, or technologies are deployed to implement CA-5?
  • How is CA-5 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CA-5 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CA-5?
  • What audit logs, records, reports, or monitoring data validate CA-5 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CA-5 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CA-5 compliance?

Ask AI

Configure your API key to use AI features.