Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 128
| Control ID | Title / Statement | Priority | Baseline Impact | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| PM-01 |
Information Security Program Plan
2 params
a. Develop and disseminate an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security ...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| PM-02 |
Information Security Program Leadership Role
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
|
— | — | ||||||||||||||||||||||||||||||
| PM-03 |
Information Security and Privacy Resources
a. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;
b. Prepar...
|
— | — | ||||||||||||||||||||||||||||||
| PM-04 |
Plan of Action and Milestones Process
a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
1....
|
— | — | ||||||||||||||||||||||||||||||
| PM-05 |
System Inventory
1 param
Develop and update {{ insert: param, pm-05_odp }} an inventory of organizational systems.
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| PM-05(01) |
Inventory of Personally Identifiable Information
1 param
Establish, maintain, and update {{ insert: param, pm-05.01_odp }} an inventory of all systems, applications, and projects that process personally identifiable information.
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| PM-06 |
Measures of Performance
Develop, monitor, and report on the results of information security and privacy measures of performance.
|
— | — | ||||||||||||||||||||||||||||||
| PM-07 |
Enterprise Architecture
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organization...
|
— | — | ||||||||||||||||||||||||||||||
| PM-07(01) |
Offloading
1 param
Offload {{ insert: param, pm-07.01_odp }} to other systems, system components, or an external provider.
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| PM-08 |
Critical Infrastructure Plan
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
|
— | — | ||||||||||||||||||||||||||||||
| PM-09 |
Risk Management Strategy
1 param
a. Develops a comprehensive strategy to manage:
1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and us...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| PM-10 |
Authorization Process
a. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;
b. Designate individuals to fulfill speci...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-10a | Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; | — | — | ||||||||||||||||||||||||||||||
| └ pm-10b | Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-10c | Integrate the authorization processes into an organization-wide risk management program. | — | — | ||||||||||||||||||||||||||||||
| PM-11 |
Mission and Business Process Definition
1 param
a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individ...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-11a | Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organization... | — | — | ||||||||||||||||||||||||||||||
| └ pm-11b | Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-11c | Review and revise the mission and business processes {{ insert: param, pm-11_odp }}. | — | — | ||||||||||||||||||||||||||||||
| PM-12 |
Insider Threat Program
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
|
— | — | ||||||||||||||||||||||||||||||
| PM-13 |
Security and Privacy Workforce
Establish a security and privacy workforce development and improvement program.
|
— | — | ||||||||||||||||||||||||||||||
| PM-14 |
Testing, Training, and Monitoring
a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:
1. Are d...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-14a | Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associa... | — | — | ||||||||||||||||||||||||||||||
| └ pm-14a.1 | Are developed and maintained; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-14a.2 | Continue to be executed; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-14b | Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities fo... | — | — | ||||||||||||||||||||||||||||||
| PM-15 |
Security and Privacy Groups and Associations
Establish and institutionalize contact with selected groups and associations within the security and privacy communities:
a. To facilitate ongoing security and privacy education and training for ...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-15a | To facilitate ongoing security and privacy education and training for organizational personnel; | — | — | ||||||||||||||||||||||||||||||
| └ pm-15b | To maintain currency with recommended security and privacy practices, techniques, and technologies; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-15c | To share current security and privacy information, including threats, vulnerabilities, and incidents. | — | — | ||||||||||||||||||||||||||||||
| PM-16 |
Threat Awareness Program
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
|
— | — | ||||||||||||||||||||||||||||||
| PM-16(01) |
Automated Means for Sharing Threat Intelligence
Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.
|
— | — | ||||||||||||||||||||||||||||||
| PM-17 |
Protecting Controlled Unclassified Information on External Systems
3 params
a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemen...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-17a | Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or ... | — | — | ||||||||||||||||||||||||||||||
| └ pm-17b | Review and update the policy and procedures {{ insert: param, pm-17_prm_1 }}. | — | — | ||||||||||||||||||||||||||||||
| PM-18 |
Privacy Program Plan
1 param
a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:
1. Includes a description of the structure of the privacy ...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-18a | Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: | — | — | ||||||||||||||||||||||||||||||
| └ pm-18a.1 | Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; | — | — | ||||||||||||||||||||||||||||||
| └ pm-18a.2 | Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls i... | — | — | ||||||||||||||||||||||||||||||
| └ pm-18a.3 | Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and... | — | — | ||||||||||||||||||||||||||||||
| └ pm-18a.4 | Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; | — | — | ||||||||||||||||||||||||||||||
| └ pm-18a.5 | Reflects coordination among organizational entities responsible for the different aspects of privacy; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-18a.6 | Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including... | — | — | ||||||||||||||||||||||||||||||
| └ pm-18b | Update the plan {{ insert: param, pm-18_odp }} and to address changes in federal privacy laws and policy and organizational changes and problems id... | — | — | ||||||||||||||||||||||||||||||
| PM-19 |
Privacy Program Leadership Role
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy ris...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-1a | Develop and disseminate an organization-wide information security program plan that: | — | — | ||||||||||||||||||||||||||||||
| └ pm-1a.1 | Provides an overview of the requirements for the security program and a description of the security program management controls and common controls... | — | — | ||||||||||||||||||||||||||||||
| └ pm-1a.2 | Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compl... | — | — | ||||||||||||||||||||||||||||||
| └ pm-1a.3 | Reflects the coordination among organizational entities responsible for information security; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-1a.4 | Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission... | — | — | ||||||||||||||||||||||||||||||
| └ pm-1b | Review and update the organization-wide information security program plan {{ insert: param, pm-01_odp.01 }} and following {{ insert: param, pm-01_o... | — | — | ||||||||||||||||||||||||||||||
| └ pm-1c | Protect the information security program plan from unauthorized disclosure and modification. | — | — | ||||||||||||||||||||||||||||||
| PM-20 |
Dissemination of Privacy Program Information
Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:
a. Ensures tha...
|
— | — | ||||||||||||||||||||||||||||||
| PM-20(01) |
Privacy Policies on Websites, Applications, and Digital Services
Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:
(a) Are written in plain language and organized in a way that is easy to ...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-20.1.(a) | Are written in plain language and organized in a way that is easy to understand and navigate; | — | — | ||||||||||||||||||||||||||||||
| └ pm-20.1.(b) | Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-20.1.(c) | Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public ... | — | — | ||||||||||||||||||||||||||||||
| └ pm-20a | Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for p... | — | — | ||||||||||||||||||||||||||||||
| └ pm-20b | Ensures that organizational privacy practices and reports are publicly available; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-20c | Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices rega... | — | — | ||||||||||||||||||||||||||||||
| PM-21 |
Accounting of Disclosures
a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:
1. Date, nature, and purpose of each disclosure; and
2. Name and address, ...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-21a | Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: | — | — | ||||||||||||||||||||||||||||||
| └ pm-21a.1 | Date, nature, and purpose of each disclosure; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-21a.2 | Name and address, or other contact information of the individual or organization to which the disclosure was made; | — | — | ||||||||||||||||||||||||||||||
| └ pm-21b | Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the discl... | — | — | ||||||||||||||||||||||||||||||
| └ pm-21c | Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. | — | — | ||||||||||||||||||||||||||||||
| PM-22 |
Personally Identifiable Information Quality Management
Develop and document organization-wide policies and procedures for:
a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the inform...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-22a | Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; | — | — | ||||||||||||||||||||||||||||||
| └ pm-22b | Correcting or deleting inaccurate or outdated personally identifiable information; | — | — | ||||||||||||||||||||||||||||||
| └ pm-22c | Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-22d | Appeals of adverse decisions on correction or deletion requests. | — | — | ||||||||||||||||||||||||||||||
| PM-23 |
Data Governance Body
2 params
Establish a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }}.
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| PM-24 |
Data Integrity Board
Establish a Data Integrity Board to:
a. Review proposals to conduct or participate in a matching program; and
b. Conduct an annual review of all matching programs in which the agency has partic...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-24a | Review proposals to conduct or participate in a matching program; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-24b | Conduct an annual review of all matching programs in which the agency has participated. | — | — | ||||||||||||||||||||||||||||||
| PM-25 |
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
5 params
a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
b. Limit or minimize the am...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-25a | Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training... | — | — | ||||||||||||||||||||||||||||||
| └ pm-25b | Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; | — | — | ||||||||||||||||||||||||||||||
| └ pm-25c | Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-25d | Review and update policies and procedures {{ insert: param, pm-25_prm_1 }}. | — | — | ||||||||||||||||||||||||||||||
| PM-26 |
Complaint Management
5 params
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:
a. Mechanisms that a...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-26a | Mechanisms that are easy to use and readily accessible by the public; | — | — | ||||||||||||||||||||||||||||||
| └ pm-26b | All information necessary for successfully filing complaints; | — | — | ||||||||||||||||||||||||||||||
| └ pm-26c | Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, pm-26_prm_1 }}; | — | — | ||||||||||||||||||||||||||||||
| └ pm-26d | Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }} ; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-26e | Response to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}. | — | — | ||||||||||||||||||||||||||||||
| PM-27 |
Privacy Reporting
4 params
a. Develop {{ insert: param, pm-27_odp.01 }} and disseminate to:
1. {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; an...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-27a | Develop {{ insert: param, pm-27_odp.01 }} and disseminate to: | — | — | ||||||||||||||||||||||||||||||
| └ pm-27a.1 | {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-27a.2 | {{ insert: param, pm-27_odp.03 }} and other personnel with responsibility for monitoring privacy program compliance; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-27b | Review and update privacy reports {{ insert: param, pm-27_odp.04 }}. | — | — | ||||||||||||||||||||||||||||||
| PM-28 |
Risk Framing
2 params
a. Identify and document:
1. Assumptions affecting risk assessments, risk responses, and risk monitoring;
2. Constraints affecting risk assessments, risk responses, and risk monitoring;
...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-28a | Identify and document: | — | — | ||||||||||||||||||||||||||||||
| └ pm-28a.1 | Assumptions affecting risk assessments, risk responses, and risk monitoring; | — | — | ||||||||||||||||||||||||||||||
| └ pm-28a.2 | Constraints affecting risk assessments, risk responses, and risk monitoring; | — | — | ||||||||||||||||||||||||||||||
| └ pm-28a.3 | Priorities and trade-offs considered by the organization for managing risk; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-28a.4 | Organizational risk tolerance; | — | — | ||||||||||||||||||||||||||||||
| └ pm-28b | Distribute the results of risk framing activities to {{ insert: param, pm-28_odp.01 }} ; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-28c | Review and update risk framing considerations {{ insert: param, pm-28_odp.02 }}. | — | — | ||||||||||||||||||||||||||||||
| PM-29 |
Risk Management Program Leadership Roles
a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning proc...
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-29a | Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strate... | — | — | ||||||||||||||||||||||||||||||
| └ pm-29b | Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent ac... | — | — | ||||||||||||||||||||||||||||||
| PM-30 |
Supply Chain Risk Management Strategy
1 param
a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| PM-30(01) |
Suppliers of Critical or Mission-essential Items
Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-30a | Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of sy... | — | — | ||||||||||||||||||||||||||||||
| └ pm-30b | Implement the supply chain risk management strategy consistently across the organization; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-30c | Review and update the supply chain risk management strategy on {{ insert: param, pm-30_odp }} or as required, to address organizational changes. | — | — | ||||||||||||||||||||||||||||||
| PM-31 |
Continuous Monitoring Strategy
9 params
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
a. Establishing the following organization-wide metrics to be monitored: {{ ...
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-31a | Establishing the following organization-wide metrics to be monitored: {{ insert: param, pm-31_odp.01 }}; | — | — | ||||||||||||||||||||||||||||||
| └ pm-31b | Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness; | — | — | ||||||||||||||||||||||||||||||
| └ pm-31c | Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; | — | — | ||||||||||||||||||||||||||||||
| └ pm-31d | Correlation and analysis of information generated by control assessments and monitoring; | — | — | ||||||||||||||||||||||||||||||
| └ pm-31e | Response actions to address results of the analysis of control assessment and monitoring information; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-31f | Reporting the security and privacy status of organizational systems to {{ insert: param, pm-31_prm_4 }} {{ insert: param, pm-31_prm_5 }}. | — | — | ||||||||||||||||||||||||||||||
| PM-32 |
Purposing
1 param
Analyze {{ insert: param, pm-32_odp }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.
► View parameters
|
— | — | ||||||||||||||||||||||||||||||
| └ pm-3a | Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document al... | — | — | ||||||||||||||||||||||||||||||
| └ pm-3b | Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance w... | — | — | ||||||||||||||||||||||||||||||
| └ pm-3c | Make available for expenditure, the planned information security and privacy resources. | — | — | ||||||||||||||||||||||||||||||
| └ pm-4a | Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs ... | — | — | ||||||||||||||||||||||||||||||
| └ pm-4a.1 | Are developed and maintained; | — | — | ||||||||||||||||||||||||||||||
| └ pm-4a.2 | Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational opera... | — | — | ||||||||||||||||||||||||||||||
| └ pm-4a.3 | Are reported in accordance with established reporting requirements. | — | — | ||||||||||||||||||||||||||||||
| └ pm-4b | Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk re... | — | — | ||||||||||||||||||||||||||||||
| └ pm-9a | Develops a comprehensive strategy to manage: | — | — | ||||||||||||||||||||||||||||||
| └ pm-9a.1 | Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of or... | — | — | ||||||||||||||||||||||||||||||
| └ pm-9a.2 | Privacy risk to individuals resulting from the authorized processing of personally identifiable information; | — | — | ||||||||||||||||||||||||||||||
| └ pm-9b | Implement the risk management strategy consistently across the organization; and | — | — | ||||||||||||||||||||||||||||||
| └ pm-9c | Review and update the risk management strategy {{ insert: param, pm-09_odp }} or as required, to address organizational changes. | — | — |