Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 47
| Control ID | Title / Statement | Priority | Baseline Impact | ||||||
|---|---|---|---|---|---|---|---|---|---|
| PM-1 |
Information Security Program Plan
1 param
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a descript...
► View parameters
|
— | — | ||||||
| PM-2 |
Senior Information Security Officer
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
|
— | — | ||||||
| PM-3 |
Information Security Resources
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requ...
|
— | — | ||||||
| PM-4 |
Plan of Action and Milestones Process
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and mai...
|
— | — | ||||||
| PM-5 |
Information System Inventory
The organization develops and maintains an inventory of its information systems.
|
— | — | ||||||
| PM-6 |
Information Security Measures of Performance
The organization develops, monitors, and reports on the results of information security measures of performance.
|
— | — | ||||||
| PM-7 |
Enterprise Architecture
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organ...
|
— | — | ||||||
| PM-8 |
Critical Infrastructure Plan
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
|
— | — | ||||||
| PM-9 |
Risk Management Strategy
1 param
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and u...
► View parameters
|
— | — | ||||||
| PM-10 |
Security Authorization Process
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security a...
|
— | — | ||||||
| └ pm-10a | Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems... | — | — | ||||||
| └ pm-10b | Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and | — | — | ||||||
| └ pm-10c | Fully integrates the security authorization processes into an organization-wide risk management program. | — | — | ||||||
| PM-11 |
Mission/business Process Definition
The organization:
a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other ...
|
— | — | ||||||
| └ pm-11a | Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational ... | — | — | ||||||
| └ pm-11b | Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievabl... | — | — | ||||||
| PM-12 |
Insider Threat Program
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.
|
— | — | ||||||
| PM-13 |
Information Security Workforce
The organization establishes an information security workforce development and improvement program.
|
— | — | ||||||
| PM-14 |
Testing, Training, and Monitoring
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information sy...
|
— | — | ||||||
| └ pm-14a | Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with or... | — | — | ||||||
| └ pm-14a.1 | Are developed and maintained; and | — | — | ||||||
| └ pm-14a.2 | Continue to be executed in a timely manner; | — | — | ||||||
| └ pm-14b | Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities f... | — | — | ||||||
| PM-15 |
Contacts with Security Groups and Associations
The organization establishes and institutionalizes contact with selected groups and associations within the security community:
a. To facilitate ongoing security education and training for organi...
|
— | — | ||||||
| └ pm-15a | To facilitate ongoing security education and training for organizational personnel; | — | — | ||||||
| └ pm-15b | To maintain currency with recommended security practices, techniques, and technologies; and | — | — | ||||||
| └ pm-15c | To share current security-related information including threats, vulnerabilities, and incidents. | — | — | ||||||
| PM-16 |
Threat Awareness Program
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.
|
— | — | ||||||
| └ pm-1a | Develops and disseminates an organization-wide information security program plan that: | — | — | ||||||
| └ pm-1a.1 | Provides an overview of the requirements for the security program and a description of the security program management controls and common controls... | — | — | ||||||
| └ pm-1a.2 | Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compl... | — | — | ||||||
| └ pm-1a.3 | Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, perso... | — | — | ||||||
| └ pm-1a.4 | Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission... | — | — | ||||||
| └ pm-1b | Reviews the organization-wide information security program plan {{ insert: param, pm-1_prm_1 }}; | — | — | ||||||
| └ pm-1c | Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and | — | — | ||||||
| └ pm-1d | Protects the information security program plan from unauthorized disclosure and modification. | — | — | ||||||
| └ pm-3a | Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents ... | — | — | ||||||
| └ pm-3b | Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and | — | — | ||||||
| └ pm-3c | Ensures that information security resources are available for expenditure as planned. | — | — | ||||||
| └ pm-4a | Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: | — | — | ||||||
| └ pm-4a.1 | Are developed and maintained; | — | — | ||||||
| └ pm-4a.2 | Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organi... | — | — | ||||||
| └ pm-4a.3 | Are reported in accordance with OMB FISMA reporting requirements. | — | — | ||||||
| └ pm-4b | Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk r... | — | — | ||||||
| └ pm-9a | Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associat... | — | — | ||||||
| └ pm-9b | Implements the risk management strategy consistently across the organization; and | — | — | ||||||
| └ pm-9c | Reviews and updates the risk management strategy {{ insert: param, pm-9_prm_1 }} or as required, to address organizational changes. | — | — |