Navigate

PM-8

PM-8: Critical Infrastructure Plan

The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

Supplemental

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to PM-8.

Control	Description
PM-1	The organization: PM-1a.: Develops and disseminates an organization-wide information security program plan that: PM-1a.1.: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; PM-1a.2.: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.3.: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and PM-1a.4.: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-1b.: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency]; PM-1c.: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and PM-1d.: Protects the information security program plan from unauthorized disclosure and modification.
PM-9	The organization: PM-9a.: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; PM-9b.: Implements the risk management strategy consistently across the organization; and PM-9c.: Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.
PM-11	The organization: PM-11a.: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and PM-11b.: Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.
RA-3	The organization: RA-3a.: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; RA-3b.: Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; RA-3c.: Reviews risk assessment results [Assignment: organization-defined frequency]; RA-3d.: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and RA-3e.: Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Enhancements

The controls below (if any) add on to the requirements of PM-8.

Control	Description
No controls

Related CCIs

The CCIs below are tied to PM-8.

CCI	Definition
CCI-000216	The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues.
CCI-001640	The organization updates the critical infrastructure and key resources protection plan that addresses information security issues.