CA.L2-3.12.2: Plan of Action — CMMC Level 2 Control
Plans of action are your roadmap to fixing security deficiencies before they become breaches. This CMMC Level 2 control requires organizations to document, prioritize, and execute corrective actions that eliminate vulnerabilities in information systems. Without a structured remediation process, identified weaknesses linger and compound risk.
What this means
CA.L2-3.12.2 requires you to create and execute formal plans of action that address deficiencies discovered during assessments, audits, or vulnerability scans. These plans must include specific corrective measures, resource allocation, responsibility assignments, and realistic completion timelines. The control ensures that security gaps don't remain open indefinitely and that remediation efforts are tracked, documented, and completed.
How to comply
- 1.Establish a formal process for identifying deficiencies through assessments, scans, audits, and incident reviews
- 2.Document each deficiency with clear description, severity level, and business impact assessment
- 3.Develop corrective action plans that specify remediation steps, responsible parties, and target completion dates
- 4.Prioritize actions based on risk level, with critical vulnerabilities addressed first
- 5.Allocate resources (budget, personnel, tools) needed to execute each planned action
- 6.Assign ownership and accountability for each corrective measure
- 7.Track progress against timelines with regular status updates and milestone documentation
- 8.Verify completion of corrective actions and validate that vulnerabilities have been eliminated
- 9.Close out actions only after evidence confirms remediation and re-testing confirms effectiveness
- 10.Maintain records of all plans of action and completion evidence for audit purposes
Evidence auditors look for
- Written plan of action templates with standard fields (deficiency, corrective action, owner, due date, status)
- Deficiency log or register tracking all identified vulnerabilities and their remediation status
- Risk assessment documentation showing how deficiencies were prioritized
- Resource allocation records and budget approvals for corrective actions
- Meeting minutes or status reports showing progress tracking and stakeholder oversight
- Completion records with evidence of corrective action implementation (change logs, certificates, test results)
- Follow-up verification reports confirming that corrective actions eliminated the underlying vulnerability
- Signed-off closure documentation on completed plans of action
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates deficiency tracking and plan of action lifecycle management, so your team can assign owners, set milestones, track progress, and generate audit-ready completion evidence—all in one platform.
See how GRCWatch handles this control automatically
Start free trial