Navigate

CCI-002990

CCI-002990 Definition

The organization protects the information security program plan from unauthorized modification.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

DoD documents and implements methods to protect the information security program plan from unauthorized disclosure by marking, labeling, and handling to prevent unauthorized modification. DoD ensures that all changes to the information security program plan are approved.

Validation Procedures

DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan.

Compelling Evidence

Automatically compliant per DoDI 8500.01.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002990.

Control	Description
PM-1	The organization: PM-1a.: Develops and disseminates an organization-wide information security program plan that: PM-1a.1.: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; PM-1a.2.: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.3.: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and PM-1a.4.: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-1b.: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency]; PM-1c.: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and PM-1d.: Protects the information security program plan from unauthorized disclosure and modification.

Control

Description

PM-1

The organization:

PM-1a.: Develops and disseminates an organization-wide information security program plan that:
- PM-1a.1.: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- PM-1a.2.: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- PM-1a.3.: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
- PM-1a.4.: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

PM-1b.: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];

PM-1c.: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and

PM-1d.: Protects the information security program plan from unauthorized disclosure and modification.