fisma corrective action plans
Post on 30-Dec-2015
39 Views
Preview:
DESCRIPTION
TRANSCRIPT
Background
Components and Guidelines
Frequently Asked Questions
OVERVIEW
Corrective Action Plans (CAPs) are a requirement of FISMA.
CAPs make FISMA an ongoing process. Ensures risks are corrected, not just identified.
They cover a period of time, not a point in time.
BACKGROUND
Include all risks where action has not been fully implemented.
Describe the action taken so far.
Describe additional action to be taken.
State when additional action will be implemented.
COMPONENTS
GUIDELINES
There is no required format.
Plan must be UPDATED every six months.
Last year’s risks are not required to be included in the new action plan.
What are the consequences if our department does not complete
these CAPs?
QUESTION #1
The same as not submitting a FISMA Report.•Department will be posted to the non-compliers list•Finance representative may contact the department for follow-up•Program Budget Managers may be notified•BCPs may be declined
ANSWER #1
Where should I send my CAPs?
QUESTION #2
I’m unclear when the first CAP is supposed to be submitted.
QUESTION #3
12/31/11
FISMA Report Dated
1/30/12CAP dueONLY IF
it was not included with the report
2nd CAP Due
6/30/12
6 m
onth
s fro
m
REPORT DATE
3rd CAP Due
12/31/12
Dec Jan Ju
nDec
30 days from REPORT DATE
ANSWER #3
Is the CAP required to be posted to the Transparency website?
QUESTION #4
No. Only the FISMA Report is required to be posted.
ANSWER #4
If there are risks not fully mitigated/corrected by the end of
the FISMA period, do they have to be included in the next FISMA
report?
QUESTION #5
Only if management still considers them a risk. Prior risks should be considered in the subsequent risk
assessment process.
ANSWER #5
Some of our corrective actions have an “ongoing” completion date.
Even if all other corrective action is complete, do I have to continue
submitting CAPs?
QUESTION #6
Likely no. Corrective action is established to be an ongoing thing.
Usually when corrective action indicates an “ongoing” completion date, the action has already been
taken.
ANSWER #6
Part of our department’s corrective action was contingent upon a
Budget Change Proposal (BCP). What do we do if it has been
denied?
QUESTION #7
BCPs are not considered corrective action for FISMA purposes.
Government Code §13407 states the provisions of FISMA should be
carried out using existing resources; this includes the establishment and
maintenance of internal controls.
ANSWER #7
top related