CA.L2-3.12.2 — Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

What this control requires

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Source: CMMC L2 v2.13 CA.L2-3.12.2 / NIST SP 800-171 R2 3.12.2 (official control text).

Why this matters

Every organization has security gaps — misconfigurations, missing patches, policy violations, or unaddressed vulnerabilities. Without a formal Plan of Action and Milestones (POA&M), these deficiencies linger indefinitely, creating persistent risk. This control requires systematic tracking of every identified weakness, assignment of ownership, establishment of target remediation dates, and execution of corrective steps. POA&Ms transform reactive firefighting into disciplined risk reduction, demonstrating to auditors and partners that the organization manages security debt proactively rather than hoping gaps go unnoticed.

What evidence assessors expect

Assessors typically look for: CSV export, PDF, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls