The intended audience includes information resource owners and custodians.

For all weaknesses and deficiencies noted during the annual risk assessment of security controls, the information resource owner, or designee, shall develop a plan of action and milestones to document the unit’s planned remedial actions to reduce or eliminate known vulnerabilities to the information resource.