SPARC

Planning

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 64

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

PL-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}: 1. {{ insert: param, pl-01_odp.03 }} planning policy that: (a) Addresses purpose, scope, roles, responsibilitie...

► View parameters

Param ID	Label	Constraint / Choices
pl-1_prm_1	organization-defined personnel or roles	Organization-defined
pl-01_odp.01	personnel or roles	personnel or roles to whom the planning policy is to be disseminated is/are defined;
pl-01_odp.02	personnel or roles	personnel or roles to whom the planning procedures are to be disseminated is/are defined;
pl-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
pl-01_odp.04	official	an official to manage the planning policy and procedures is defined;
pl-01_odp.05	frequency	the frequency with which the current planning policy is reviewed and updated is defined;
pl-01_odp.06	events	events that would require the current planning policy to be reviewed and updated are defined;
pl-01_odp.07	frequency	the frequency with which the current planning procedures are reviewed and updated is defined;
pl-01_odp.08	events	events that would require procedures to be reviewed and updated are defined;

—

PL-02

System Security and Privacy Plans 3 params

a. Develop security and privacy plans for the system that: 1. Are consistent with the organization’s enterprise architecture; 2. Explicitly define the constituent system components; 3...

► View parameters

Param ID	Label	Constraint / Choices
pl-02_odp.01	individuals or groups	individuals or groups with whom security and privacy-related activities affecting the system that require planning an...
pl-02_odp.02	personnel or roles	personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;
pl-02_odp.03	frequency	frequency to review system security and privacy plans is defined;

—

PL-02(01)

Concept of Operations

—

PL-02(02)

Functional Architecture

—

PL-02(03)

Plan and Coordinate with Other Organizational Entities

—

PL-03

System Security Plan Update

—

PL-04

Rules of Behavior 3 params

a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privac...

► View parameters

Param ID	Label	Constraint / Choices
pl-04_odp.01	frequency	frequency for reviewing and updating the rules of behavior is defined;
pl-04_odp.02		Select one-or-more: {{ insert: param, pl-04_odp.03 }} ; when the rules are revised or updated
pl-04_odp.03	frequency	frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);

—

PL-04(01)

Social Media and External Site/Application Usage Restrictions

Include in the rules of behavior, restrictions on: (a) Use of social media, social networking sites, and external sites/applications; (b) Posting organizational information on public websites; ...

—

PL-05

Privacy Impact Assessment

—

PL-06

Security-related Activity Planning

—

PL-07

Concept of Operations 1 param

a. Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and b. Review ...

► View parameters

Param ID	Label	Constraint / Choices
pl-07_odp	frequency	frequency for review and update of the Concept of Operations (CONOPS) is defined;

—

PL-08

Security and Privacy Architectures 1 param

a. Develop security and privacy architectures for the system that: 1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of org...

► View parameters

Param ID	Label	Constraint / Choices
pl-08_odp	frequency	frequency for review and update to reflect changes in the enterprise architecture;

—

PL-08(01)

Defense in Depth 2 params

Design the security and privacy architectures for the system using a defense-in-depth approach that: (a) Allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }} ; a...

► View parameters

Param ID	Label	Constraint / Choices
pl-08.01_odp.01	controls	controls to be allocated are defined;
pl-08.01_odp.02	locations and architectural layers	locations and architectural layers are defined;

—

PL-08(02)

Supplier Diversity 2 params

Require that {{ insert: param, pl-08.02_odp.01 }} allocated to {{ insert: param, pl-08.02_odp.02 }} are obtained from different suppliers.

► View parameters

Param ID	Label	Constraint / Choices
pl-08.02_odp.01	controls	controls to be allocated are defined;
pl-08.02_odp.02	locations and architectural layers	locations and architectural layers are defined;

—

PL-09

Central Management 1 param

Centrally manage {{ insert: param, pl-09_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
pl-09_odp	controls and related processes	security and privacy controls and related processes to be centrally managed are defined;

—

PL-10

Baseline Selection

Select a control baseline for the system.

—

PL-11

Baseline Tailoring

Tailor the selected control baseline by applying specified tailoring actions.

—

└ pl-1a

Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:

—

└ pl-1a.1

{{ insert: param, pl-01_odp.03 }} planning policy that:

—

└ pl-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ pl-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ pl-1a.2

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

—

└ pl-1b

Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and

—

└ pl-1c

Review and update the current planning:

—

└ pl-1c.1

Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and

—

└ pl-1c.2

Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}.

—

└ pl-2a

Develop security and privacy plans for the system that:

—

└ pl-2a.1

Are consistent with the organization’s enterprise architecture;

—

└ pl-2a.10

Provide an overview of the security and privacy requirements for the system;

—

└ pl-2a.11

Identify any relevant control baselines or overlays, if applicable;

—

└ pl-2a.12

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

—

└ pl-2a.13

Include risk determinations for security and privacy architecture and design decisions;

—

└ pl-2a.14

Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }}...

—

└ pl-2a.15

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

—

└ pl-2a.2

Explicitly define the constituent system components;

—

└ pl-2a.3

Describe the operational context of the system in terms of mission and business processes;

—

└ pl-2a.4

Identify the individuals that fulfill system roles and responsibilities;

—

└ pl-2a.5

Identify the information types processed, stored, and transmitted by the system;

—

└ pl-2a.6

Provide the security categorization of the system, including supporting rationale;

—

└ pl-2a.7

Describe any specific threats to the system that are of concern to the organization;

—

└ pl-2a.8

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

—

└ pl-2a.9

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

—

└ pl-2b

Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};

—

└ pl-2c

Review the plans {{ insert: param, pl-02_odp.03 }};

—

└ pl-2d

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessm...

—

└ pl-2e

Protect the plans from unauthorized disclosure and modification.

—

└ pl-4.1.(a)

Use of social media, social networking sites, and external sites/applications;

—

└ pl-4.1.(b)

Posting organizational information on public websites; and

—

└ pl-4.1.(c)

Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sit...

—

└ pl-4a

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for infor...

—

└ pl-4b

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior,...

—

└ pl-4c

Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and

—

└ pl-4d

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}.

—

└ pl-7a

Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of infor...

—

└ pl-7b

Review and update the CONOPS {{ insert: param, pl-07_odp }}.

—

└ pl-8.1.(a)

Allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }} ; and

—

└ pl-8.1.(b)

Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.

—

└ pl-8a

Develop security and privacy architectures for the system that:

—

└ pl-8a.1

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

—

└ pl-8a.2

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

—

└ pl-8a.3

Describe how the architectures are integrated into and support the enterprise architecture; and

—

└ pl-8a.4

Describe any assumptions about, and dependencies on, external systems and services;

—

└ pl-8b

Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and

—

└ pl-8c

Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures...

—