Hello and welcome to the NIST 800 171 Learning Path. My name is Dave Hadar. I'm your instructor for this class and this is Course 5, create a plan of action and milestones. In this video, we'll take a look at actually creating our plan of action and milestones. As you can see in the screenshot here, I have created a plan of action milestones for our fictional company, Rearden Steel. I'm going to switch screens in a second and go over to the Excel document and just walk you through the rationale of why I created this, this way and the process of plugging this in and managing your plan of action and milestones. Bear with me here for a second. I'm going to switch screens to Excel. Here we go. Hopefully, now you see my Excel document and your window there. I'm going to pull this up on my big screen. Again, this is the plan of action that goes with the system security plan for Rearden Steel information system. RSIS00001. You can see it's got the last updated date of the spreadsheet here that I'm using to manage my plan of action of milestones. Again, this is loosely based on the NIST format. You can download their Word document straight from their website where you'll find this 800171R2. I like the Excel format better. It makes it easier to slice and dice the data and work with it. Again, they don't tell you that you have to use any prescribed format. They do tell you what you need in it per requirement, 3.12.2 and this 800 171. I feel strongly that this particular document would meet all of those requirements. You can see here I have the requirement number, I have a status, I have the weakness or weaknesses that were identified for that particular requirement. In other words, why is that requirement not satisfied in my information system? Who's responsible for an estimate, if necessary or available? Is it funded or not? A scheduled completion date. Milestones with interim completion dates. Any changes to milestones? How the weakness or deficiency was identified? Then any notes that go along with it. Let's take a look at a couple of these. Requirements 3.1.9, in this particular case, that is basically the one that says you need to have some type of log in banner telling you that you have CUI in the system. You can see the weaknesses. We don't currently have the log in banner implemented. The status of this particular task is in progress. Francisco d'Anconia is responsible for it. It is funded and we've scheduled a completion date of 8/1/2001. You can see the milestone here is we're going to implement a log in banner using GPOs. You could see here it was identified while preparing the SSP. As we were going through our system security plan and we solved requirement 3.1.9, we realized we don't have a login banner in our environment that says that CUI is required. We identify that as a deficiency. In our rear information System Security Plan, we said there that that is not implemented and we refer to the plan of action and milestones you see here. Then this has the detail for how we're going to manage it. If we take a look at another one here, 3.1.16, that basically says that you need to ensure that you understand what devices are connecting to your wireless network. You can see in this case we're saying it's status is scheduled. The weaknesses, we don't have any white listing or MAC filtering in this case configured. The responsible party is Francisco d'Anconia. Again, it's funded. It's scheduled to be completed in November 30th. What we're going to do to complete it as configured MAC filtering on our Wi-Fi to make sure that only known devices can connect. We identify this while preparing the SSP as well. If we take a look at 3.1.8, you can see here, in this case, it's not scheduled. This is the one that basically says you're going to manage mobile devices. 3.1.19 is encryption on mobile devices. These two are very similar. We've said we've not scheduled 3.1.8. We don't have an MDM yet. Our responsible party, again, Francisco d'Anconia, he's our CSO. It is funded. We don't have a scheduled completion date because it's not scheduled yet and what we're going to do is implement mobile device management with Intune. You can see here some notes. Pricing for Intune licensing has been acquired. Now, you can see here in 3.1.19, we're saying this is scheduled. We don't have encryption consistently enabled on all devices and we don't have an MDM implemented. We already have discussed that briefly. Francisco d'Anconia is responsible party. This is funded, we're scheduled to do this by 12:31. You can see this is a two-phase deal. We're going to implement BitLocker. That's what we're saying, a schedule by 12:31 for our PC oriented devices. Then once we get Intune, then we would handle the MDM side of it there. You can provide as much or as little detail as necessary. I would suggest err on the side of more detail. Again, if an assessor comes in and you need to provide these documents to him, the more information you have, the more credible it's going to seem, and I think the smoother your audit, will go. Let's take a look at just one more of these guys and then we'll move on. 3.3.1. That's about logging. Now, I know I mentioned this in the previous video when I want to mention it again. It's so helpful to have 800 171 a available because when you're looking at the requirements and then you're defining the weaknesses and what you're going to do in order to fix those deficiencies. To eliminate those weaknesses and make sure that you satisfy with that particular requirement. In this case, you can see 3.3.1 log generation is minimal log auditing not occurring at this time. We're saying this is in-progress. We're turning on logging. We're going to crank up the logging. We're going to say here, Francisco d'Anconia is responsible, it is funded. We're on track to have this done by September 1st of 2021. We identified this weakness while we were preparing the system security plan. You can see this language is loosely based on what came out of 800 171. In order to satisfy this requirement, we're going to generate audit records. We're going to make sure they're creative with the content necessary to meet this requirement. We're going to define the retention requirements and ensure that we retain the log records per those retention requirements. Again, if you look at the assessors objectives in 800 171 A, you'll get the information you need to fill these out and know what you need to do. Again, this is an example of a plan of action of milestones for Rearden Steel. Obviously, you don't have to follow this exact format. Again, there is no prescribed format but I think this works pretty well. With that, that is the end of this video and I will see you in the next course. Thanks for watching and see you soon.
