PM-11: Mission / Business Process Definition
base control objective:
a. Defines mission/business processes with consideration for information security and the
resulting risk to organizational operations, organizational assets, individuals, other
organizations, and the Nation; and
b. Determines information protection needs arising from the defined mission/business processes
and revises the processes as necessary, until an achievable set of protection needs is obtained.
supplemental objective information:
Information protection needs are technology-independent, required
capabilities to counter threats to organizations, individuals, or the Nation through the compromise
of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs
are derived from the mission/business needs defined by the organization, the mission/business
processes selected to meet the stated needs, and the organizational risk management strategy.
Information protection needs determine the required security controls for the organization and the
associated information systems supporting the mission/business processes. Inherent in defining an
organization’s information protection needs is an understanding of the level of adverse impact that
could result if a compromise of information occurs. The security categorization process is used to
make such potential impact determinations. Mission/business process definitions and associated
information protection requirements are documented by the organization in accordance with
organizational policy and procedure.
enhancements to the base objective:
mapping to FIPS199 baseline:
related (regimented) controls:
documents referenced in SP800-53rev3 for PM-11: