The University shall develop and update, a plan of action and milestone process for security information resources that document the University's planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls in order to reduce or eliminate known vulnerabilities in the system.


  • Texas Administrative Code Chapter 202 assigns responsibility for the protection of information resources to the President of the University. For the purposes of this Control, the authority and responsibility regarding the university‚Äôs compliance with TAC 202 have been delegated by the President to the Chief Information Officer (CIO).


  • 1

    It is the responsibility of the University President or designee (i.e., CIO) to implement a process for ensuring that plans of action and milestones for the security program and associated University information resources;

    • 1.1

      Are developed and maintained;

    • 1.2

      Document the remedial information security actions to adequately respond to risk to University operations and assets, individuals, other organizations; and

    • 1.3

      Are reported in accordance with OMB FISMA reporting requirements.

  • 2

    The CIO or designee shall review plans of action and milestones for consistency with the University risk management strategy and University priorities for risk response actions.