home || catalog: SP800-53rev3 / class: Management / family: (PM) Program Management ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM

PM-01 *
PM-02
PM-03
PM-04
PM-05
PM-06
PM-07
PM-08
PM-09
PM-10
PM-11

PS
RA
SA
SC
SI
MMMMM

  PM-01: Security Program Plan  

base control objective:
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
- Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- Provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended;
- Includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency]; and
c. Revises the plan to address organizational changes and problems identified during plan implementation or security control assessments.

supplemental objective information:
The information security program plan can be represented in a single document or compilation of documents at the discretion of the organization. The plan documents the organization-wide program management controls and organization-defined common controls. The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems.

enhancements to the base objective:

(1) None.

mapping to FIPS199 baseline:

  LOW: org     MOD: org     HIGH: org  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for PM-01:

None.

Document Date Status Title

Search SP800-53rev3 catalog: