Planning
Estimated reading time: 4 minutesPL-1 Security Planning Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
- Reviews and updates the current:
- Security planning policy [Assignment: organization-defined frequency]; and
- Security planning procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
PL-2 System Security Plan
Description
The organization:
- Develops a security plan for the information system that:
- Is consistent with the organization�s enterprise architecture;
- Explicitly defines the authorization boundary for the system;
- Describes the operational context of the information system in terms of missions and business processes;
- Provides the security categorization of the information system including supporting rationale;
- Describes the operational environment for the information system and relationships with or connections to other information systems;
- Provides an overview of the security requirements for the system;
- Identifies any relevant overlays, if applicable;
- Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
- Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
- Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
- Reviews the security plan for the information system [Assignment: organization-defined frequency];
- Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
- Protects the security plan from unauthorized disclosure and modification.
Control Information
Responsible role(s) - Organization
PL-2 (3) Plan / Coordinate With Other Organizational Entities
Description
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.
Control Information
Responsible role(s) - Organization
PL-4 Rules Of Behavior
Description
The organization:
- Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
- Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
- Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
- Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
Control Information
Responsible role(s) - Organization
PL-4 (1) Social Media And Networking Restrictions
Description
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.
Control Information
Responsible role(s) - Organization
PL-7 Security Concept Of Operations
Description
The organization:
- Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
- Reviews and updates the CONOPS [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
PL-8 Information Security Architecture
Description
The organization:
- Develops an information security architecture for the information system that:
- Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
- Describes how the information security architecture is integrated into and supports the enterprise architecture; and
- Describes any information security assumptions about, and dependencies on, external services;
- Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
- Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
Control Information
Responsible role(s) - Organization
PL-8 (1) Defense-In-Depth
Description
The organization designs its security architecture using a defense-in-depth approach that:
- Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
- Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.
Control Information
Responsible role(s) - Organization
PL-8 (2) Supplier Diversity
Description
The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.
Control Information
Responsible role(s) - Organization
PL-9 Central Management
Description
The organization centrally manages [Assignment: organization-defined security controls and related processes].
Control Information
Responsible role(s) - Organization