CMMC Practice CA.2.159
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Bold Coast Security Guidance
For Level 2 compliance the organization must have a formal written policy that requires a formal mitigation plan to correct identified deficiencies that are included in technical testing, audit, and risk assessment findings.
DRAFT NIST SP 800-171 R2
The plan of action is a key document in the information security program . Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.
Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a non-federal organization and whether it is advisable to pursue an agreement or contract with the non-federal organization.