CORRECTIVE ACTION PLAN (CAP)

AGENCY NAME:
SYSTEM NAME: (If applicable)
DATE:
Classification: Confidential per N.C.G.S. 132-6 (1c)

Weakness Weakness
CAP ID Controls Description Source Identifier

Description of the
weakness and other Vulnerability
Name of the information as it identifier (Plugin
applicable 800-53 applies to the ID) as provided
Unique identifier for each CAP Controls or ISO Statewide Information by scanner
Item 27001 Security Manual (plugin ID/None)

Unique Identifier Control Number Text Identifier

V-1Example AC-1 Unprovisioned port left 12345
open on example
firewall
 Overall
Point of Remediation Original Detection
Asset Identifier Contact Resources Required Plan Date

Identifier Specified in the Inventory

This is a unique string associated
with the asset, it could just be IP, or
any arbitrary naming scheme
This Field should include the
complete identifier (no short hand), Person
along with the port and protocol Responsible Specify resources General Date the weakness
when provided by the scanner. for needed beyond current overview of the was first identified
Each Asset should be separated by implementing resources to mitigate remediation (aka Discovery
a new line (Alt+Enter) this task task. plan Date)

Identifier (port/protocol) Text Text Text Date

172.246.15.3 (80/TCP) John Doe - Implement a 5/5/2014
http://vuln.gov/queries Example CSP technical
172.246.16.17 (80/tcp) solution to the
problem.
Scheduled Completion Date Planned Milestones
Permanent Column
List of proposed Milestones,
separated with a blank line
(Alt+Enter)
Any alterations should be made in
"Milestone Changes"
Permanent Column Milestone Number should be
Date of intended completion unique to each milestone
(##) xxxx-xx-xx: Milestone
Date Description
8/3/2014 (1) 2014/05/23: Milestone
Description
(2) 2014-06-12: Milestone
Description
Milestone Changes
Any alterations, status updates, or
additions to the milestones.
(Milestone Number) [Type of update]
[milestone date] : How and why the date
changed, or the milestone was altered
Create a new Milestone Number for new
Milestones
(##) New/Update/Complete xxxx-xx-xx :
Description of change
(2) Update 2014-06-18 : That milestone
was delayed due to a Vendor Dependency
(3) New 2014-06-13 : This is the details of
this new milestone
 Vendor
Dependent
Vendor Last Vendor Product Original Adjusted Risk
Status Date Dependency Check-in Date Name Risk Rating Risk Rating Adjustment

Name of the Provide the Provide the

Date POA&M Whether or not product that is Original Adjusted Risk Whether
item was last this item is Date of last dependent Risk Rating Rating as there was a
changed or vendor vendor check- upon the from the approved by Risk
closed dependent. in, if applicable vendor. scanner the CIO Adjustment
Low, Low,
Moderate, Moderate, Yes, No,
Date Yes, No Date Product Name High High, N/A Pending
8/5/2014 Yes 8/5/2014 Example High Moderate Yes
Firewall
False Operational Deviation Rationale or compensatin
Positive Requirement controls in place Supporting Documents

Whether this Whether this List any supporting documents

weakness weakness that are associated with this item
should be should be (e.g. Deviation Request,
considered a considered an Information about the Deviation or any Evidence of Remediation,
False Operational mitigating/compensating controls in Evidence of Vendor Dependency,
Positive Requirement place etc)

Yes, No, Yes, No, Document Type : Document

Pending Pending Deviation Type : Rationale Name
No Pending Risk Adjustment : The example firewall Remediation Evidence :
scanned is just preliminary filename.doc
Deviation Request : DR-123-
Operational Requirement: The port is Example-1.doc
needed for service example.
Comments

This column is for

additional information,
not specified in
another column

Text
none
CORRECTIVE ACTION PLAN (CAP)
AGENCY NAME:
SYSTEM NAME: (If applicable)
DATE:
Classification: Confidential per N.C.G.S. 132-6 (1c)

Weakness Weakness Source

CAP ID Controls Description Identifier
 Resources Overall Original Detection
Asset Identifier Point of Contact Required Remediation Plan Date
Scheduled Planned Vendor
Completion Date Milestones Milestone Changes Status Date Dependency
Last Vendor Vendor Dependent Original Risk Adjusted Risk
Check-in Date Product Name Rating Rating Risk Adjustment
 Deviation
Rationale or
Operational compensatin Supporting
False Positive Requirement controls in place Documents Comments