home || catalog: SP800-53rev3 / class: Management / family: (PL) Planning ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL

PL-01
PL-02 *
PL-03
PL-04
PL-05
PL-06

PM
PS
RA
SA
SC
SI
MMMMM

  PL-02: System Security Plan  

base control objective:
The organization:
a. Develops a security plan for the information system that: - Is consistent with the organization’s enterprise architecture; - Explicitly defines the authorization boundary for the system; - Describes the operational context of the information system in terms of missions and business processes; - Provides the security categorization of the information system including supporting rationale; - Describes the operational environment for the information system; - Describes relationships with or connections to other information systems; - Provides an overview of the security requirements for the system; - Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and - Is reviewed and approved by the authorizing official or authorizing official designated representative prior to plan implementation.
b. Reviews the security plan for the information system [Assignment: organization-defined frequency]; and
c. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.

supplemental objective information:
The security plan contains sufficient information (including specification of parameters for assignment and selection statements in security controls either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a subsequent determination of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Security plans are reviewed and approved by authorizing officials or authorizing official designated representatives prior to implementation as part of an organizational risk management strategy.

enhancements to the base objective:

(1) The organization:
(a) Develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum:
(i) the purpose of the system;
(ii) a description of the system architecture;
(iii) the security authorization schedule; and
(iv) the security categorization and associated factors considered in determining the categorization.
(b) Reviews and updates the CONOPS [Assignment: organization-defined frequency].
Enhancement Supplemental Guidance: The security CONOPS may be included in the security plan for the information system.

(2) The organization develops a functional architecture for the information system that identifies and maintains:
(a) All external interfaces, the information being exchanged across the interfaces, and the protection mechanisms associated with each interface;
(b) User roles and the access privileges assigned to each role;
(c) Unique security requirements;
(d) Categories of sensitive information processed, stored, or transmitted by the information system and any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; and
(e) Restoration priority of information or information system services.
Enhancement Supplemental Guidance: Unique security requirements for the information system include, for example, encryption of key data elements at rest. Specific protection needs for the information system include, for example, the Privacy Act and Health Insurance Portability and Accountability Act.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

PM-01   Security Program Plan
PM-07   Enterprise Architecture
PM-08   Critical Infrastructure Plan
PM-09   Risk Management Strategy
PM-11   Mission / Business Process Definition

documents referenced in SP800-53rev3 for PL-02:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 March, 2006 current   Minimum Security Requirements for Federal Information and Information Systems
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-14 September, 1996 current   Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST SP800-18 February, 2006 current   Guide for Developing Security Plans for Federal Information Systems
NIST SP800-19 October, 1999 current   Mobile Agent Security
NIST SP800-21 December, 2005 current   Guideline for Implementing Cryptography in the Federal Government
NIST SP800-25 October, 2000 current   Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
NIST SP800-27 June, 2004 current   Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
NIST SP800-30 July 2002 groan...   Risk Management Guide for Information Technology Systems
NIST SP800-32 February, 2001 current   Introduction to Public Key Technology and the Federal PKI Infrastructure
NIST SP800-33 December, 2001 current   Underlying Technical Models for Information Technology Security
NIST SP800-34 May, 2010 current   Contingency Planning Guide for Information Technology Systems
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-39 December, 2010 DRAFT   Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-41 September, 2009 current   Guidelines on Firewalls and Firewall Policy
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-57, part1 August, 2005 current   Recommendation for Key Management, part 1
NIST SP800-57, part2 August, 2005 current   Recommendation for Key Management, part 2
NIST SP800-58 January, 2005 current   Security Considerations for Voice Over IP Systems
NIST SP800-64 October, 2008 current   Security Considerations in the Information System Development Life Cycle
NIST SP800-81 August, 2010 current   Secure Domain Name System (DNS) Deployment Guide

Search SP800-53rev3 catalog: