Identify maturity gaps, prioritize remediation, and build a Plan of Action & Milestones
Use this table structure to document gaps between your current MIL attainment and your target state. The example below shows a sample organization targeting MIL 2 across all domains with selected MIL 3 targets in high-risk areas.
β οΈ This is a template/example. Populate with your actual self-assessment results from the Self-Assessment Tool.
| Domain | Practice ID | Practice Summary | Current Status | Target MIL | Evidence Needed | Remediation Effort | Risk Level |
|---|---|---|---|---|---|---|---|
| ASSET β Asset, Change, and Configuration Management | |||||||
| ASSET | ASSET-1c | Prioritize assets based on criticality | β οΈ Partial | MIL 2 | Criticality rating in asset inventory | Low | Medium |
| ASSET | ASSET-2c | Plan and document change management | β Not Met | MIL 2 | Formal CM policy and procedure | Medium | Medium |
| ACCESS β Identity and Access Management | |||||||
| ACCESS | ACCESS-2c | Implement MFA for privileged accounts | β Not Met | MIL 2 | MFA configuration screenshots | Medium | High |
| ACCESS | ACCESS-3b | Periodic access rights review | β Not Met | MIL 2 | Access certification records | Low | High |
| RESPONSE β Incident Response & Continuity | |||||||
| RESPONSE | RESPONSE-3c | Documented incident response plan | β οΈ Partial | MIL 2 | Written IRP with all response phases | Medium | High |
| RESPONSE | RESPONSE-4d | Test continuity and backup procedures | β Not Met | MIL 2 | Backup restore test records | Low | High |
| WORKFORCE β Workforce Management | |||||||
| WORK | WORK-2c | Plan and track training completion | β Not Met | MIL 2 | Training plan and completion records | Low | Medium |
| THIRD-PARTIES β Third-Party Risk Management | |||||||
| THIRD | THIRD-1b | Prioritize third parties by risk level | β Not Met | MIL 2 | Vendor risk rating methodology and records | Medium | Medium |
Use this framework to decide which gaps to address first. Prioritize gaps based on the combination of risk level (impact if exploited) and remediation effort (time and resources to fix).
Quick wins that eliminate high-risk exposures. Attack immediately. Examples: enabling MFA, running first vulnerability scan, reviewing active user accounts.
Critical gaps requiring significant work. Assign dedicated resources, set milestones, and track progress. Examples: IRP development, architecture segmentation.
Important but not urgent. Include in program roadmap and budget cycles. Examples: MIL 3 review programs, advanced threat intelligence sharing.
Low-priority improvements. Complete when bandwidth allows or fold into existing projects. Examples: documentation enhancements, minor process improvements.
Use the form below to add Plan of Action & Milestones (POA&M) items. Entries are saved in your browser and displayed in the tracking table.
| # | Domain | Practice ID | Gap Description | Planned Action | Owner | Target Date | Risk | Status | Action |
|---|---|---|---|---|---|---|---|---|---|
| No POA&M items yet. Add items using the form above. | |||||||||