CA.L2-3.12.2

CA.L2-3.12.2: Plan of Action

Develop and implement plans of action to correct deficiencies.

Finding a problem is step one. Fixing it requires a plan. CA.L2-3.12.2 requires you to document remediation plans for every security deficiency and then follow through on them. The assessor will verify both the plans and their execution. Remediation plans stem from CA.L2-3.12.1 (assessments) and complement CA.L2-3.12.3 (continuous monitoring).

Family Security Assessment
Practice CA.L2-3.12.2
Difficulty Medium
Key evidence Findings, remediation plans, completion records

What the assessor is actually evaluating

The assessor will examine:

  1. Deficiency identification: Findings can come from vulnerability scans, security assessments, audit reports, or incident investigations. The assessor will ask where your deficiencies come from and how they are documented.

  2. Documented remediation plans: For each deficiency, there must be a written plan that describes the corrective action, responsible party, and target completion date. The plan does not need to be lengthy, but it must exist.

  3. Plan execution and closure: The assessor will verify that plans are actually executed. This means checking that the remediation was completed by the target date (or with documented justification for delays) and that the deficiency was verified as closed.

What a realistic SSP definition looks like

Example SSP Language: CA.L2-3.12.2

When security assessments, audits, or incidents identify deficiencies, the IT manager documents the finding and creates a remediation plan. The plan specifies the corrective action, target completion date, and responsible party. Plans are tracked in a central system until closure. High-severity deficiencies are remediated within 30 days. Medium-severity within 90 days. Low-severity within 180 days.

Tracking system: Jira project called "Security Deficiencies" with fields for finding source, severity, remediation plan, due date, and closure evidence. Plan approval: The IT manager and CISO review and approve plans for high-severity findings. Escalation: If a plan cannot be completed by the due date, the issue is escalated to leadership with justification. Verification: Once remediation is complete, a team member other than the remediator verifies closure.

How to present your evidence

Evidence checklist
  • Deficiency policy document (identification process, plan creation, approval requirements)
  • Sample deficiencies with plans from tracking system (finding, plan, target date, closure date)
  • Remediation plan details for at least 3 deficiencies (ticket descriptions, change logs, or configuration screenshots)
  • Verification evidence (re-scan, test result, or team member sign-off)
  • Timeline compliance records showing on-time execution or documented delay justification

Common failures

What gets flagged

Verbal remediation plans. Deficiencies are discussed in meetings, but no written plan is created. When the assessor asks to see the plan, you cannot produce one.

Plans with no accountability. A plan says "fix the vulnerability" but does not assign a specific person, department, or due date. Without clear ownership and timelines, nothing gets done.

Execution without verification. Remediation was supposedly completed, but there is no evidence it actually worked. A re-scan, test result, or sign-off is needed to close the loop.

Overdue remediation plans. Plans are documented, but many are overdue. A high-severity finding from 90 days ago should have been fixed 60 days ago.

What makes assessors move on satisfied

Clear remediation tracking: a spreadsheet or system showing every deficiency found in the past year, with plans, due dates, and closure evidence. All items are on-time or have justified delays. Each plan has a named owner, clear actions, and a specific due date.

If you use an MSP/MSSP

MSP remediation tracking

If your MSP remediates deficiencies on your behalf, request weekly or monthly status reports on all open remediation plans. Ensure the service agreement includes timelines that align with your severity levels. You are accountable to assessors for plan execution, even if the work is outsourced. Maintain copies of all plans and closure evidence in your own systems.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Assessor: "When you find a security deficiency, what is your process for fixing it?"
"We document the finding, create a remediation plan with a target date based on severity, and track progress in Jira. [Pull up remediation policy and a sample Jira project] Here's our policy and a sample project."
Assessor: "Show me three deficiencies from the past six months with their remediation plans."
"Here are three from this quarter. [Pull up three Jira tickets] Each one shows the finding date, plan description, assigned owner, due date, and closure with verification."
Assessor: "This one was due on January 15th but closed on January 18th. What caused the delay?"
"The patch required a server restart, which was scheduled for after hours on the 17th. Verification was completed the next morning. [Pull up the plan notes showing the delay was documented]"

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← CA.L2-3.12.3: Security Control Monitoring All Practices CA.L2-3.12.1: Security Control Assessment →