CORRECTIVE ACTION PLAN (CAP)

AGENCY NAME:
SYSTEM NAME: (If applicable)
DATE:
Classification: Confidential per N.C.G.S. 132-6 (1c)

Weakness Weakness
CAP ID Controls Description Source Identifier

Description of the
weakness and other Vulnerability
Name of the information as it identifier (Plugin
applicable 800-53 applies to the ID) as provided
Unique identifier for each CAP Controls or ISO Statewide Information by scanner
Item 27001 Security Manual (plugin ID/None)

Unique Identifier Control Number Text Identifier

V-1Example AC-1 Unprovisioned port left 12345
open on example
firewall
 Overall
Point of Remediation
Asset Identifier Contact Resources Required Plan

Identifier Specified in the Inventory

This is a unique string associated
with the asset, it could just be IP, or
any arbitrary naming scheme
This Field should include the
complete identifier (no short hand), Person
along with the port and protocol Responsible Specify resources General
when provided by the scanner. for needed beyond current overview of the
Each Asset should be separated by implementing resources to mitigate remediation
a new line (Alt+Enter) this task task. plan

Identifier (port/protocol) Text Text Text

172.246.15.3 (80/TCP) John Doe - Implement a
http://vuln.gov/queries Example CSP technical
172.246.16.17 (80/tcp) solution to the
problem.
Original Detection
Date Scheduled Completion Date Planned Milestones

Permanent Column
List of proposed Milestones,
separated with a blank line
(Alt+Enter)
Date the weakness Any alterations should be made in
was first identified "Milestone Changes"
(aka Discovery Permanent Column Milestone Number should be unique
Date) Date of intended completion to each milestone

(##) xxxx-xx-xx: Milestone

Date Date Description
05/05/2014 03/08/2014 (1) 2014/05/23: Milestone
Description

(2) 2014-06-12: Milestone

Description
 Vendor
Dependent
Vendor Last Vendor Product
Milestone Changes Status Date Dependency Check-in Date Name

Any alterations, status updates, or

additions to the milestones.

(Milestone Number) [Type of update] Name of the

[milestone date] : How and why the date Date POA&M Whether or not product that is
changed, or the milestone was altered item was last this item is Date of last dependent
Create a new Milestone Number for new changed or vendor vendor check- upon the
Milestones closed dependent. in, if applicable vendor.

(##) New/Update/Complete xxxx-xx-xx :

Description of change Date Yes, No Date Product Name
(2) Update 2014-06-18 : That milestone 05/08/2014 Yes 05/08/2014 Example
was delayed due to a Vendor Dependency Firewall

(3) New 2014-06-13 : This is the details of

this new milestone
Original Adjusted Risk False Operational Deviation Rationale or compensatin
Risk Rating Risk Rating Adjustment Positive Requirement controls in place

Whether this Whether this

Provide the Provide the weakness weakness
Original Adjusted Risk Whether should be should be
Risk Rating Rating as there was a considered a considered an Information about the Deviation or any
from the approved by Risk False Operational mitigating/compensating controls in
scanner the CIO Adjustment Positive Requirement place
Low, Low,
Moderate, Moderate, Yes, No, Yes, No, Yes, No,
High High, N/A Pending Pending Pending Deviation Type : Rationale
High Moderate Yes No Pending Risk Adjustment : The example firewall
scanned is just preliminary

Operational Requirement: The port is

needed for service example.
Supporting Documents Comments

List any supporting documents

that are associated with this item
(e.g. Deviation Request, This column is for
Evidence of Remediation, additional information,
Evidence of Vendor Dependency, not specified in
etc) another column

Document Type : Document

Name Text
Remediation Evidence : none
filename.doc
Deviation Request : DR-123-
Example-1.doc