fisma corrective action plans
DESCRIPTION
FISMA Corrective action plans. OVERVIEW. Background Components and Guidelines Frequently Asked Questions. BACKGROUND. Corrective Action Plans (CAPs) are a requirement of FISMA. CAPs make FISMA an ongoing process. Ensures risks are corrected, not just identified. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/1.jpg)
![Page 2: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/2.jpg)
Background
Components and Guidelines
Frequently Asked Questions
OVERVIEW
![Page 3: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/3.jpg)
Corrective Action Plans (CAPs) are a requirement of FISMA.
CAPs make FISMA an ongoing process. Ensures risks are corrected, not just identified.
They cover a period of time, not a point in time.
BACKGROUND
![Page 4: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/4.jpg)
Include all risks where action has not been fully implemented.
Describe the action taken so far.
Describe additional action to be taken.
State when additional action will be implemented.
COMPONENTS
![Page 5: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/5.jpg)
GUIDELINES
There is no required format.
Plan must be UPDATED every six months.
Last year’s risks are not required to be included in the new action plan.
![Page 6: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/6.jpg)
![Page 7: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/7.jpg)
![Page 8: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/8.jpg)
What are the consequences if our department does not complete
these CAPs?
QUESTION #1
![Page 9: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/9.jpg)
The same as not submitting a FISMA Report.•Department will be posted to the non-compliers list•Finance representative may contact the department for follow-up•Program Budget Managers may be notified•BCPs may be declined
ANSWER #1
![Page 10: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/10.jpg)
Where should I send my CAPs?
QUESTION #2
![Page 12: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/12.jpg)
I’m unclear when the first CAP is supposed to be submitted.
QUESTION #3
![Page 13: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/13.jpg)
12/31/11
FISMA Report Dated
1/30/12CAP dueONLY IF
it was not included with the report
2nd CAP Due
6/30/12
6 m
onth
s fro
m
REPORT DATE
3rd CAP Due
12/31/12
Dec Jan Ju
nDec
30 days from REPORT DATE
ANSWER #3
![Page 14: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/14.jpg)
Is the CAP required to be posted to the Transparency website?
QUESTION #4
![Page 15: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/15.jpg)
No. Only the FISMA Report is required to be posted.
ANSWER #4
![Page 16: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/16.jpg)
If there are risks not fully mitigated/corrected by the end of
the FISMA period, do they have to be included in the next FISMA
report?
QUESTION #5
![Page 17: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/17.jpg)
Only if management still considers them a risk. Prior risks should be considered in the subsequent risk
assessment process.
ANSWER #5
![Page 18: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/18.jpg)
Some of our corrective actions have an “ongoing” completion date.
Even if all other corrective action is complete, do I have to continue
submitting CAPs?
QUESTION #6
![Page 19: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/19.jpg)
Likely no. Corrective action is established to be an ongoing thing.
Usually when corrective action indicates an “ongoing” completion date, the action has already been
taken.
ANSWER #6
![Page 20: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/20.jpg)
Part of our department’s corrective action was contingent upon a
Budget Change Proposal (BCP). What do we do if it has been
denied?
QUESTION #7
![Page 21: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/21.jpg)
BCPs are not considered corrective action for FISMA purposes.
Government Code §13407 states the provisions of FISMA should be
carried out using existing resources; this includes the establishment and
maintenance of internal controls.
ANSWER #7
![Page 22: FISMA Corrective action plans](https://reader035.vdocuments.net/reader035/viewer/2022062217/56812c60550346895d90f00d/html5/thumbnails/22.jpg)