Background

Components and Guidelines

Frequently Asked Questions

OVERVIEW

Corrective Action Plans (CAPs) are a requirement of FISMA.

CAPs make FISMA an ongoing process. Ensures risks are corrected, not just identified.

They cover a period of time, not a point in time.

BACKGROUND

Include all risks where action has not been fully implemented.

Describe the action taken so far.

Describe additional action to be taken.

State when additional action will be implemented.

COMPONENTS

GUIDELINES

There is no required format.

Plan must be UPDATED every six months.

Last year’s risks are not required to be included in the new action plan.

What are the consequences if our department does not complete

these CAPs?

QUESTION #1

The same as not submitting a FISMA Report.•Department will be posted to the non-compliers list•Finance representative may contact the department for follow-up•Program Budget Managers may be notified•BCPs may be declined

ANSWER #1

Where should I send my CAPs?

QUESTION #2

CAPs are required to be sent to FISMAhotline@dof.ca.gov

ANSWER #2

I’m unclear when the first CAP is supposed to be submitted.

QUESTION #3

12/31/11

FISMA Report Dated

1/30/12CAP dueONLY IF

it was not included with the report

2nd CAP Due

6/30/12

6 m

onth

s fro

m

REPORT DATE

3rd CAP Due

12/31/12

Dec Jan Ju

nDec

30 days from REPORT DATE

ANSWER #3

Is the CAP required to be posted to the Transparency website?

QUESTION #4

No. Only the FISMA Report is required to be posted.

ANSWER #4

If there are risks not fully mitigated/corrected by the end of

the FISMA period, do they have to be included in the next FISMA

report?

QUESTION #5

Only if management still considers them a risk. Prior risks should be considered in the subsequent risk

assessment process.

ANSWER #5

Some of our corrective actions have an “ongoing” completion date.

Even if all other corrective action is complete, do I have to continue

submitting CAPs?

QUESTION #6

Likely no. Corrective action is established to be an ongoing thing.

Usually when corrective action indicates an “ongoing” completion date, the action has already been

taken.

ANSWER #6

Part of our department’s corrective action was contingent upon a

Budget Change Proposal (BCP). What do we do if it has been

denied?

QUESTION #7

BCPs are not considered corrective action for FISMA purposes.

Government Code §13407 states the provisions of FISMA should be

carried out using existing resources; this includes the establishment and

maintenance of internal controls.

ANSWER #7