Planning (PL)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] planning policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the planning policy and the associated planning controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and
• c. Review and update the current planning:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop security and privacy plans for the system that:
  • 1. Are consistent with the organization’s enterprise architecture;
  • 2. Explicitly define the constituent system components;
  • 3. Describe the operational context of the system in terms of mission and business processes;
  • 4. Identify the individuals that fulfill system roles and responsibilities;
  • 5. Identify the information types processed, stored, and transmitted by the system;
  • 6. Provide the security categorization of the system, including supporting rationale;
  • 7. Describe any specific threats to the system that are of concern to the organization;
  • 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
  • 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
  • 10. Provide an overview of the security and privacy requirements for the system;
  • 11. Identify any relevant control baselines or overlays, if applicable;
  • 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
  • 13. Include risk determinations for security and privacy architecture and design decisions;
  • 14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and
  • 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
• b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles];
• c. Review the plans [Assignment: organization-defined frequency];
• d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
• e. Protect the plans from unauthorized disclosure and modification.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
• b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
• c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and
• d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection: one or more of: when the rules are revised or updated].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Include in the rules of behavior, restrictions on:

• (a) Use of social media, social networking sites, and external sites/applications;
• (b) Posting organizational information on public websites; and
• (c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and
• b. Review and update the CONOPS [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop security and privacy architectures for the system that:
  • 1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
  • 2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
  • 3. Describe how the architectures are integrated into and support the enterprise architecture; and
  • 4. Describe any assumptions about, and dependencies on, external systems and services;
• b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and
• c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Design the security and privacy architectures for the system using a defense-in-depth approach that:

• (a) Allocates [Assignment: organization-defined controls] to [Assignment: organization-defined locations and architectural layers]; and
• (b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Centrally manage [Assignment: organization-defined controls and related processes].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Select a control baseline for the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Tailor the selected control baseline by applying specified tailoring actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools