Program management

Estimated reading time: 5 minutes

PM-1 Information Security Program Plan

Description

The organization:

  1. Develops and disseminates an organization-wide information security program plan that:
    1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
    2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
    3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
    4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
  2. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
  3. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
  4. Protects the information security program plan from unauthorized disclosure and modification.

Control Information

Responsible role(s) - Organization

PM-2 Senior Information Security Officer

Description

The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

Control Information

Responsible role(s) - Organization

PM-3 Information Security Resources

Description

The organization:

  1. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
  2. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
  3. Ensures that information security resources are available for expenditure as planned.

Control Information

Responsible role(s) - Organization

PM-4 Plan Of Action And Milestones Process

Description

The organization:

  1. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
    1. Are developed and maintained;
    2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
    3. Are reported in accordance with OMB FISMA reporting requirements.
  2. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Control Information

Responsible role(s) - Organization

PM-5 Information System Inventory

Description

The organization develops and maintains an inventory of its information systems.

Control Information

Responsible role(s) - Organization

PM-6 Information Security Measures Of Performance

Description

The organization develops, monitors, and reports on the results of information security measures of performance.

Control Information

Responsible role(s) - Organization

PM-7 Enterprise Architecture

Description

The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

Control Information

Responsible role(s) - Organization

PM-8 Critical Infrastructure Plan

Description

The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

Control Information

Responsible role(s) - Organization

PM-9 Risk Management Strategy

Description

The organization:

  1. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
  2. Implements the risk management strategy consistently across the organization; and
  3. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

Control Information

Responsible role(s) - Organization

PM-10 Security Authorization Process

Description

The organization:

  1. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
  2. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
  3. Fully integrates the security authorization processes into an organization-wide risk management program.

Control Information

Responsible role(s) - Organization

PM-11 Mission/Business Process Definition

Description

The organization:

  1. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
  2. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.

Control Information

Responsible role(s) - Organization

PM-12 Insider Threat Program

Description

The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.

Control Information

Responsible role(s) - Organization

PM-13 Information Security Workforce

Description

The organization establishes an information security workforce development and improvement program.

Control Information

Responsible role(s) - Organization

PM-14 Testing, Training, And Monitoring

Description

The organization:

  1. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
    1. Are developed and maintained; and
    2. Continue to be executed in a timely manner;
  2. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Control Information

Responsible role(s) - Organization

PM-15 Contacts With Security Groups And Associations

Description

The organization establishes and institutionalizes contact with selected groups and associations within the security community:

  1. To facilitate ongoing security education and training for organizational personnel;
  2. To maintain currency with recommended security practices, techniques, and technologies; and
  3. To share current security-related information including threats, vulnerabilities, and incidents.

Control Information

Responsible role(s) - Organization

PM-16 Threat Awareness Program

Description

The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Program management