PL - Planning
- Controls Count: 6
- Controls IDs: PL-1, PL-2, PL-4, PL-4 (1), PL-10, PL-11
Controls
PL-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level planning policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the planning policy and the associated planning controls;
Designate an an official to manage the planning policy and procedures is defined; to manage the development, documentation, and dissemination of the planning policy and procedures; and
Review and update the current planning:
Policy the frequency with which the current planning policy is reviewed and updated is defined; and following events that would require the current planning policy to be reviewed and updated are defined; ; and
Procedures the frequency with which the current planning procedures are reviewed and updated is defined; and following events that would require procedures to be reviewed and updated are defined;.
Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a planning policy is developed and documented.
the planning policy is disseminated to personnel or roles to whom the planning policy is to be disseminated is/are defined;;
planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;
the planning procedures are disseminated to personnel or roles to whom the planning procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level planning policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level planning policy addresses scope;
the organization-level, mission/business process-level, and/or system-level planning policy addresses roles;
the organization-level, mission/business process-level, and/or system-level planning policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level planning policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level planning policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level planning policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the planning policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the planning policy and procedures;
the current planning policy is reviewed and updated the frequency with which the current planning policy is reviewed and updated is defined;;
the current planning policy is reviewed and updated following events that would require the current planning policy to be reviewed and updated are defined;;
the current planning procedures are reviewed and updated the frequency with which the current planning procedures are reviewed and updated is defined;;
the current planning procedures are reviewed and updated following events that would require procedures to be reviewed and updated are defined;.
Planning policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with planning responsibilities
organizational personnel with information security and privacy responsibilities
PL-2: System Security and Privacy Plans
Develop security and privacy plans for the system that:
Are consistent with the organization’s enterprise architecture;
Explicitly define the constituent system components;
Describe the operational context of the system in terms of mission and business processes;
Identify the individuals that fulfill system roles and responsibilities;
Identify the information types processed, stored, and transmitted by the system;
Provide the security categorization of the system, including supporting rationale;
Describe any specific threats to the system that are of concern to the organization;
Provide the results of a privacy risk assessment for systems processing personally identifiable information;
Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
Provide an overview of the security and privacy requirements for the system;
Identify any relevant control baselines or overlays, if applicable;
Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
Include risk determinations for security and privacy architecture and design decisions;
Include security- and privacy-related activities affecting the system that require planning and coordination with individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned; ; and
Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
Distribute copies of the plans and communicate subsequent changes to the plans to personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;;
Review the plans frequency to review system security and privacy plans is defined;;
Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
Protect the plans from unauthorized disclosure and modification.
System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.
Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.
Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.
Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.
a security plan for the system is developed that is consistent with the organization’s enterprise architecture;
a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;
a security plan for the system is developed that explicitly defines the constituent system components;
a privacy plan for the system is developed that explicitly defines the constituent system components;
a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;
a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;
a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
a security plan for the system is developed that provides an overview of the security requirements for the system;
a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;
a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;
a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;
a security plan for the system is developed that includes risk determinations for security architecture and design decisions;
a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;
a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;;
a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;;
a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
copies of the plans are distributed to personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;;
subsequent changes to the plans are communicated to personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;;
plans are reviewed frequency to review system security and privacy plans is defined;;
plans are updated to address changes to the system and environment of operations;
plans are updated to address problems identified during the plan implementation;
plans are updated to address problems identified during control assessments;
plans are protected from unauthorized disclosure;
plans are protected from unauthorized modification.
Security and privacy planning policy
procedures addressing system security and privacy plan development and implementation
procedures addressing security and privacy plan reviews and updates
enterprise architecture documentation
system security plan
privacy plan
records of system security and privacy plan reviews and updates
security and privacy architecture and design documentation
risk assessments
risk assessment results
control assessment documentation
other relevant documents or records
Organizational personnel with system security and privacy planning and plan implementation responsibilities
system developers
organizational personnel with information security and privacy responsibilities
Organizational processes for system security and privacy plan development, review, update, and approval
mechanisms supporting the system security and privacy plan
PL-4: Rules of Behavior
Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
Review and update the rules of behavior frequency for reviewing and updating the rules of behavior is defined; ; and
Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected); and/orwhen the rules are revised or updated.
Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.
rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;
rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;
before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;
rules of behavior are reviewed and updated frequency for reviewing and updating the rules of behavior is defined;;
individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected); and/orwhen the rules are revised or updated.
Security and privacy planning policy
procedures addressing rules of behavior for system users
rules of behavior
signed acknowledgements
records for rules of behavior reviews and updates
other relevant documents or records
Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior
organizational personnel with responsibility for literacy training and awareness and role-based training
organizational personnel who are authorized users of the system and have signed and resigned rules of behavior
organizational personnel with information security and privacy responsibilities
Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior
mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior
PL-4 (1): Social Media and External Site/Application Usage Restrictions
Include in the rules of behavior, restrictions on:
Use of social media, social networking sites, and external sites/applications;
Posting organizational information on public websites; and
Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.
the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;
the rules of behavior include restrictions on posting organizational information on public websites;
the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
Security and privacy planning policy
procedures addressing rules of behavior for system users
rules of behavior
training policy
other relevant documents or records
Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior
organizational personnel with responsibility for literacy training and awareness and role-based training
organizational personnel who are authorized users of the system and have signed rules of behavior
organizational personnel with information security and privacy responsibilities
Organizational processes for establishing rules of behavior
mechanisms supporting and/or implementing the establishment of rules of behavior
PL-10: Baseline Selection
Select a control baseline for the system.
Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11 ). Federal control baselines are provided in SP 800-53B . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.
a control baseline for the system is selected.
Security and privacy planning policy
procedures addressing system security and privacy plan development and implementation
procedures addressing system security and privacy plan reviews and updates
system design documentation
system architecture and configuration documentation
system categorization decision
information types stored, transmitted, and processed by the system
system element/component information
stakeholder needs analysis
list of security and privacy requirements allocated to the system, system elements, and environment of operation
list of contractual requirements allocated to external providers of the system or system element
business impact analysis or criticality analysis
risk assessments
risk management strategy
organizational security and privacy policy
federal or organization-approved or mandated baselines or overlays
system security plan
privacy plan
other relevant documents or records
Organizational personnel with security and privacy planning and plan implementation responsibilities
organizational personnel with information security and privacy responsibilities
organizational personnel with responsibility for organizational risk management activities
PL-11: Baseline Tailoring
Tailor the selected control baseline by applying specified tailoring actions.
The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT , and OMB A-130 . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.
the selected control baseline is tailored by applying specified tailoring actions.
Security and privacy planning policy
procedures addressing system security and privacy plan development and implementation
system design documentation
system categorization decision
information types stored, transmitted, and processed by the system
system element/component information
stakeholder needs analysis
list of security and privacy requirements allocated to the system, system elements, and environment of operation
list of contractual requirements allocated to external providers of the system or system element
business impact analysis or criticality analysis
risk assessments
risk management strategy
organizational security and privacy policy
federal or organization-approved or mandated baselines or overlays
baseline tailoring rationale
system security plan
privacy plan
records of system security and privacy plan reviews and updates
other relevant documents or records
Organizational personnel with security and privacy planning and plan implementation responsibilities
organizational personnel with information security and privacy responsibilities