The organization: PM-4a.
Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: PM-4a.1.
Are developed and maintained; PM-4a.2.
Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and PM-4a.3.
Are reported in accordance with OMB FISMA reporting requirements. PM-4b.
Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.