Navigate

CCI-003057

CCI-003057 Definition

Develop security and privacy plans for the system that describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions. - a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions.

Validation Procedures

Examine: [SELECT FROM: Security and privacy planning policy; procedures addressing system security and privacy plan development and implementation; procedures addressing security and privacy plan reviews and updates; enterprise architecture documentation; system security plan; privacy plan; records of system security and privacy plan reviews and updates; security and privacy architecture and design documentation; risk assessments; risk assessment results; control assessment documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system security and privacy planning and plan implementation responsibilities; system developers; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for system security and privacy plan development, review, update, and approval; mechanisms supporting the system security and privacy plan].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003057.

Control	Description
PL-2	a: Develop security and privacy plans for the system that: 1: Are consistent with the organization’s enterprise architecture; 2: Explicitly define the constituent system components; 3: Describe the operational context of the system in terms of mission and business processes; 4: Identify the individuals that fulfill system roles and responsibilities; 5: Identify the information types processed, stored, and transmitted by the system; 6: Provide the security categorization of the system, including supporting rationale; 7: Describe any specific threats to the system that are of concern to the organization; 8: Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10: Provide an overview of the security and privacy requirements for the system; 11: Identify any relevant control baselines or overlays, if applicable; 12: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13: Include risk determinations for security and privacy architecture and design decisions; 14: Include security- and privacy-related activities affecting the system that require planning and coordination with [individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;] ; and 15: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b: Distribute copies of the plans and communicate subsequent changes to the plans to [personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;]; c: Review the plans [frequency to review system security and privacy plans is defined;]; d: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e: Protect the plans from unauthorized disclosure and modification.

Control

Description

PL-2

a: Develop security and privacy plans for the system that:
- 1: Are consistent with the organization’s enterprise architecture;
- 2: Explicitly define the constituent system components;
- 3: Describe the operational context of the system in terms of mission and business processes;
- 4: Identify the individuals that fulfill system roles and responsibilities;
- 5: Identify the information types processed, stored, and transmitted by the system;
- 6: Provide the security categorization of the system, including supporting rationale;
- 7: Describe any specific threats to the system that are of concern to the organization;
- 8: Provide the results of a privacy risk assessment for systems processing personally identifiable information;
- 9: Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
- 10: Provide an overview of the security and privacy requirements for the system;
- 11: Identify any relevant control baselines or overlays, if applicable;
- 12: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
- 13: Include risk determinations for security and privacy architecture and design decisions;
- 14: Include security- and privacy-related activities affecting the system that require planning and coordination with [individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;] ; and
- 15: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

b: Distribute copies of the plans and communicate subsequent changes to the plans to [personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;];

c: Review the plans [frequency to review system security and privacy plans is defined;];

d: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

e: Protect the plans from unauthorized disclosure and modification.