Navigate

CCI-000074

CCI-000074 Definition

The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan.

Validation Procedures

DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan.

Compelling Evidence

Automatically compliant per DoDI 8500.01.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000074.

Control	Description
PM-1	The organization: PM-1a.: Develops and disseminates an organization-wide information security program plan that: PM-1a.1.: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; PM-1a.2.: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.3.: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and PM-1a.4.: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-1b.: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency]; PM-1c.: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and PM-1d.: Protects the information security program plan from unauthorized disclosure and modification.

Control

Description

PM-1

The organization:

PM-1a.: Develops and disseminates an organization-wide information security program plan that:
- PM-1a.1.: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- PM-1a.2.: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- PM-1a.3.: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
- PM-1a.4.: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

PM-1b.: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];

PM-1c.: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and

PM-1d.: Protects the information security program plan from unauthorized disclosure and modification.