The organization: PM-14a.
Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: PM-14a.1.
Are developed and maintained; and PM-14a.2.
Continue to be executed in a timely manner; PM-14b.
Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.