Navigate

CCI-003079

CCI-003079 Definition

The organization ensures that planned information security architecture changes are reflected in the security Concept of Operations (CONOPS).

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed includes planned information security architecture changes in the security Concept of Operations (CONOPS).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines security CONOPS to ensure the organization being inspected/assessed includes planned information security architecture changes in the security CONOPS.

Compelling Evidence

1.) Current version of security concept of operations (CONOPS) for the information security architecture incorporates all of the changes required by the most recent update to the information security architecture.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003079.

Control	Description
PL-8	The organization: PL-8a.: Develops an information security architecture for the information system that: PL-8a.1.: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; PL-8a.2.: Describes how the information security architecture is integrated into and supports the enterprise architecture; and PL-8a.3.: Describes any information security assumptions about, and dependencies on, external services; PL-8b.: Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and PL-8c.: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

Control

Description

PL-8

The organization:

PL-8a.: Develops an information security architecture for the information system that:
- PL-8a.1.: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
- PL-8a.2.: Describes how the information security architecture is integrated into and supports the enterprise architecture; and
- PL-8a.3.: Describes any information security assumptions about, and dependencies on, external services;

PL-8b.: Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and

PL-8c.: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.