Planning

PL-1 Security Planning Policy And Procedures

Description

The organization:

1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
2. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

PL-2 System Security Plan

Description

The organization:

1. Develops a security plan for the information system that:
1. Is consistent with the organization�s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
2. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
3. Reviews the security plan for the information system [Assignment: organization-defined frequency];
4. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
5. Protects the security plan from unauthorized disclosure and modification.

Control Information

Responsible role(s) - Organization

PL-2 (3) Plan / Coordinate With Other Organizational Entities

Description

The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.

Control Information

Responsible role(s) - Organization

PL-4 Rules Of Behavior

Description

The organization:

1. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
2. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
3. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
4. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

Control Information

Responsible role(s) - Organization

PL-4 (1) Social Media And Networking Restrictions

Description

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

Control Information

Responsible role(s) - Organization

PL-7 Security Concept Of Operations

Description

The organization:

1. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
2. Reviews and updates the CONOPS [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

PL-8 Information Security Architecture

Description

The organization:

1. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
2. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
3. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

Control Information

Responsible role(s) - Organization

PL-8 (1) Defense-In-Depth

Description

The organization designs its security architecture using a defense-in-depth approach that:

1. Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and
2. Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.

Control Information

Responsible role(s) - Organization

PL-8 (2) Supplier Diversity

Description

The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.

Control Information

Responsible role(s) - Organization

PL-9 Central Management

Description

The organization centrally manages [Assignment: organization-defined security controls and related processes].

Control Information

Responsible role(s) - Organization