Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 49
| Control ID | Title / Statement | Priority | Baseline Impact | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| PL-1 |
Security Planning Policy and Procedures
3 params
The organization:
a. Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management...
► View parameters
|
— | — | ||||||||||||
| PL-2 |
System Security Plan
2 params
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization’s enterprise architecture;
2. Explicitly defines the authorization bo...
► View parameters
|
— | — | ||||||||||||
| PL-2(1) |
Concept of Operations
|
— | — | ||||||||||||
| PL-2(2) |
Functional Architecture
|
— | — | ||||||||||||
| PL-2(3) |
Plan / Coordinate with Other Organizational Entities
1 param
The organization plans and coordinates security-related activities affecting the information system with {{ insert: param, pl-2.3_prm_1 }} before conducting such activities in order to reduce the i...
► View parameters
|
— | — | ||||||||||||
| PL-3 |
System Security Plan Update
|
— | — | ||||||||||||
| PL-4 |
Rules of Behavior
1 param
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with r...
► View parameters
|
— | — | ||||||||||||
| PL-4(1) |
Social Media and Networking Restrictions
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.
|
— | — | ||||||||||||
| PL-5 |
Privacy Impact Assessment
|
— | — | ||||||||||||
| PL-6 |
Security-related Activity Planning
|
— | — | ||||||||||||
| PL-7 |
Security Concept of Operations
1 param
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective...
► View parameters
|
— | — | ||||||||||||
| PL-8 |
Information Security Architecture
1 param
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to ...
► View parameters
|
— | — | ||||||||||||
| PL-8(1) |
Defense-in-depth
2 params
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates {{ insert: param, pl-8.1_prm_1 }} to {{ insert: param, pl-8.1_prm_2 }}; and
(b) Ensures ...
► View parameters
|
— | — | ||||||||||||
| PL-8(2) |
Supplier Diversity
2 params
The organization requires that {{ insert: param, pl-8.2_prm_1 }} allocated to {{ insert: param, pl-8.2_prm_2 }} are obtained from different suppliers.
► View parameters
|
— | — | ||||||||||||
| PL-9 |
Central Management
1 param
The organization centrally manages {{ insert: param, pl-9_prm_1 }}.
► View parameters
|
— | — | ||||||||||||
| └ pl-1a | Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}: | — | — | ||||||||||||
| └ pl-1a.1 | A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entitie... | — | — | ||||||||||||
| └ pl-1a.2 | Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and | — | — | ||||||||||||
| └ pl-1b | Reviews and updates the current: | — | — | ||||||||||||
| └ pl-1b.1 | Security planning policy {{ insert: param, pl-1_prm_2 }}; and | — | — | ||||||||||||
| └ pl-1b.2 | Security planning procedures {{ insert: param, pl-1_prm_3 }}. | — | — | ||||||||||||
| └ pl-2a | Develops a security plan for the information system that: | — | — | ||||||||||||
| └ pl-2a.1 | Is consistent with the organization’s enterprise architecture; | — | — | ||||||||||||
| └ pl-2a.2 | Explicitly defines the authorization boundary for the system; | — | — | ||||||||||||
| └ pl-2a.3 | Describes the operational context of the information system in terms of missions and business processes; | — | — | ||||||||||||
| └ pl-2a.4 | Provides the security categorization of the information system including supporting rationale; | — | — | ||||||||||||
| └ pl-2a.5 | Describes the operational environment for the information system and relationships with or connections to other information systems; | — | — | ||||||||||||
| └ pl-2a.6 | Provides an overview of the security requirements for the system; | — | — | ||||||||||||
| └ pl-2a.7 | Identifies any relevant overlays, if applicable; | — | — | ||||||||||||
| └ pl-2a.8 | Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and | — | — | ||||||||||||
| └ pl-2a.9 | Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; | — | — | ||||||||||||
| └ pl-2b | Distributes copies of the security plan and communicates subsequent changes to the plan to {{ insert: param, pl-2_prm_1 }}; | — | — | ||||||||||||
| └ pl-2c | Reviews the security plan for the information system {{ insert: param, pl-2_prm_2 }}; | — | — | ||||||||||||
| └ pl-2d | Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or securit... | — | — | ||||||||||||
| └ pl-2e | Protects the security plan from unauthorized disclosure and modification. | — | — | ||||||||||||
| └ pl-4a | Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities a... | — | — | ||||||||||||
| └ pl-4b | Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, be... | — | — | ||||||||||||
| └ pl-4c | Reviews and updates the rules of behavior {{ insert: param, pl-4_prm_1 }}; and | — | — | ||||||||||||
| └ pl-4d | Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated. | — | — | ||||||||||||
| └ pl-7a | Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the ... | — | — | ||||||||||||
| └ pl-7b | Reviews and updates the CONOPS {{ insert: param, pl-7_prm_1 }}. | — | — | ||||||||||||
| └ pl-8.1.(a) | Allocates {{ insert: param, pl-8.1_prm_1 }} to {{ insert: param, pl-8.1_prm_2 }}; and | — | — | ||||||||||||
| └ pl-8.1.(b) | Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. | — | — | ||||||||||||
| └ pl-8a | Develops an information security architecture for the information system that: | — | — | ||||||||||||
| └ pl-8a.1 | Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability... | — | — | ||||||||||||
| └ pl-8a.2 | Describes how the information security architecture is integrated into and supports the enterprise architecture; and | — | — | ||||||||||||
| └ pl-8a.3 | Describes any information security assumptions about, and dependencies on, external services; | — | — | ||||||||||||
| └ pl-8b | Reviews and updates the information security architecture {{ insert: param, pl-8_prm_1 }} to reflect updates in the enterprise architecture; and | — | — | ||||||||||||
| └ pl-8c | Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and... | — | — |