Navigate

PM-8

PM-8: Critical Infrastructure Plan

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

Supplemental

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
ID.BE-2, ID.BE-4, ID.RM-3

Related Controls

The controls below (if any) were marked by NIST as being related to PM-8.

Control	Description
CP-2	a: Develop a contingency plan for the system that: 1: Identifies essential mission and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6: Addresses the sharing of contingency information; and 7: Is reviewed and approved by [one of ]; b: Distribute copies of the contingency plan to [one of ]; c: Coordinate contingency planning activities with incident handling activities; d: Review the contingency plan for the system [frequency of contingency plan review is defined;]; e: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicate contingency plan changes to [one of ]; g: Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h: Protect the contingency plan from unauthorized disclosure and modification.
CP-4	a: Test the contingency plan for the system [frequency of testing the contingency plan for the system is defined;] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [one of ]. b: Review the contingency plan test results; and c: Initiate corrective actions, if needed.
PE-18	Position system components within the facility to minimize potential damage from [physical and environmental hazards that could result in potential damage to system components within the facility are defined;] and to minimize the opportunity for unauthorized access.
PL-2	a: Develop security and privacy plans for the system that: 1: Are consistent with the organization’s enterprise architecture; 2: Explicitly define the constituent system components; 3: Describe the operational context of the system in terms of mission and business processes; 4: Identify the individuals that fulfill system roles and responsibilities; 5: Identify the information types processed, stored, and transmitted by the system; 6: Provide the security categorization of the system, including supporting rationale; 7: Describe any specific threats to the system that are of concern to the organization; 8: Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10: Provide an overview of the security and privacy requirements for the system; 11: Identify any relevant control baselines or overlays, if applicable; 12: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13: Include risk determinations for security and privacy architecture and design decisions; 14: Include security- and privacy-related activities affecting the system that require planning and coordination with [individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;] ; and 15: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b: Distribute copies of the plans and communicate subsequent changes to the plans to [personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;]; c: Review the plans [frequency to review system security and privacy plans is defined;]; d: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e: Protect the plans from unauthorized disclosure and modification.
PM-9	a: Develops a comprehensive strategy to manage: 1: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and 2: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b: Implement the risk management strategy consistently across the organization; and c: Review and update the risk management strategy [the frequency at which to review and update the risk management strategy is defined;] or as required, to address organizational changes.
PM-11	a: Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c: Review and revise the mission and business processes [the frequency at which to review and revise the mission and business processes is defined;].
PM-18	a: Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: 1: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; 2: Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; 3: Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; 4: Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; 5: Reflects coordination among organizational entities responsible for the different aspects of privacy; and 6: Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and b: Update the plan [the frequency of updates to the privacy program plan is defined;] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.
RA-3	a: Conduct a risk assessment, including: 1: Identifying threats to and vulnerabilities in the system; 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "]; d: Review risk assessment results [the frequency to review risk assessment results is defined;]; e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
SI-12	Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Enhancements

The controls below (if any) add on to the requirements of PM-8.

Control	Description
No controls

Related CCIs

The CCIs below are tied to PM-8.

CCI	Definition
CCI-000216	Address information security issues in the development and documentation of a critical infrastructure and key resources protection plan.
CCI-001640	Address information security issues in the updating of a critical infrastructure and key resources protection plan.
CCI-004343	Address information privacy issues in the development and documentation of a critical infrastructure and key resources protection plan.
CCI-004344	Address information privacy issues in the updating of a critical infrastructure and key resources protection plan.