Program management
Estimated reading time: 5 minutesPM-1 Information Security Program Plan
Description
The organization:
- Develops and disseminates an organization-wide information security program plan that:
- Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
- Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
- Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
- Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
- Protects the information security program plan from unauthorized disclosure and modification.
Control Information
Responsible role(s) - Organization
PM-2 Senior Information Security Officer
Description
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
Control Information
Responsible role(s) - Organization
PM-3 Information Security Resources
Description
The organization:
- Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
- Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
- Ensures that information security resources are available for expenditure as planned.
Control Information
Responsible role(s) - Organization
PM-4 Plan Of Action And Milestones Process
Description
The organization:
- Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
- Are developed and maintained;
- Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
- Are reported in accordance with OMB FISMA reporting requirements.
- Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Control Information
Responsible role(s) - Organization
PM-5 Information System Inventory
Description
The organization develops and maintains an inventory of its information systems.
Control Information
Responsible role(s) - Organization
PM-6 Information Security Measures Of Performance
Description
The organization develops, monitors, and reports on the results of information security measures of performance.
Control Information
Responsible role(s) - Organization
PM-7 Enterprise Architecture
Description
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
Control Information
Responsible role(s) - Organization
PM-8 Critical Infrastructure Plan
Description
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Control Information
Responsible role(s) - Organization
PM-9 Risk Management Strategy
Description
The organization:
- Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
- Implements the risk management strategy consistently across the organization; and
- Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.
Control Information
Responsible role(s) - Organization
PM-10 Security Authorization Process
Description
The organization:
- Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
- Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
- Fully integrates the security authorization processes into an organization-wide risk management program.
Control Information
Responsible role(s) - Organization
PM-11 Mission/Business Process Definition
Description
The organization:
- Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
- Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.
Control Information
Responsible role(s) - Organization
PM-12 Insider Threat Program
Description
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.
Control Information
Responsible role(s) - Organization
PM-13 Information Security Workforce
Description
The organization establishes an information security workforce development and improvement program.
Control Information
Responsible role(s) - Organization
PM-14 Testing, Training, And Monitoring
Description
The organization:
- Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
- Are developed and maintained; and
- Continue to be executed in a timely manner;
- Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Control Information
Responsible role(s) - Organization
PM-15 Contacts With Security Groups And Associations
Description
The organization establishes and institutionalizes contact with selected groups and associations within the security community:
- To facilitate ongoing security education and training for organizational personnel;
- To maintain currency with recommended security practices, techniques, and technologies; and
- To share current security-related information including threats, vulnerabilities, and incidents.
Control Information
Responsible role(s) - Organization
PM-16 Threat Awareness Program
Description
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.
Control Information
Responsible role(s) - Organization