pl_low_impact_pri1.md

NIST 800-53 PL Low Impact Priority 1

This file is generated by a script. To modify, update source file ./pl_low_impact_pri1.yaml.

As the CIO, I want to document and communicate our organization's security plan and define assessment procedures.

Why: We need to ensure that all relevant policies are conversant in our security plan to maintain compliance.

How:

• Define roles in addition to ISSO or ISSM that the security plan is to be disseminated to. (State if there are no additional roles)
• Define roles in addition to ISSO or ISSM that the security assessment procedures are to be disseminated to. (State if there are no additional roles)
• Ensure that the security plan and assessment procedures are disseminated.
• Define frequency at which to assess and update the security plan (Annually).
• Maintain audit trail of reviews and updates.

Acceptance Criteria / Evidence:

• List of personnel to whom the security plan is to be disseminated
• Security plan
• Security plan version update page
• Security plan audit trail of reviews and updates

Links:

• https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PL-1
• https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CA-1

Labels:

• PL
• CA
• PL-1
• CA-1
• security
• planning
• assessment
• dissemination

As the CIO, I want to document and communicate our organization's security plan and define assessment procedures.

Why: A complete and coherent security plan is essential to share with new employees, outside organizations, or security auditors.

How:

• Create a security plan that:
  • Is consistent with the organization's enterprise architecture
  • Explicitly defines the authorization boundary for the system
  • Describes the operational context of the system in terms of missions and business processes
  • Provides the security categorization of the system including supporting rationale
  • Describes the operational environment for the system and relationships with or connections to other systems
  • Provides an overview of the security requirements for the system
  • Identifies any relevant overlays, if applicable
  • Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions
  • Uses and documents Interconnection Security Agreements for system interconnections (CA-3)
• Have plan approved by the authorizing official prior to implementation.
• Frequently review security plan, including system interconnections.

Acceptance Criteria / Evidence:

• Security plan
• Security approval documentation
• Secuirty plan audit log

Links:

• NIST Special Publication 800-18
• https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PL-2
• https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CA-3

Labels:

• PL
• CA
• PL-2
• CA-3
• security
• planning
• assessment