💼 PL-2 System Security and Privacy Plans

• Contextual name: 💼 PL-2 System Security and Privacy Plans
• ID: /frameworks/nist-sp-800-53-r5/pl/02
• Located in: 💼 PL Planning

Description

a. Develop security and privacy plans for the system that:

1. Are consistent with the organization’s enterprise architecture;
2. Explicitly define the constituent system components;
3. Describe the operational context of the system in terms of mission and business processes;
4. Identify the individuals that fulfill system roles and responsibilities;
5. Identify the information types processed, stored, and transmitted by the system;
6. Provide the security categorization of the system, including supporting rationale;
7. Describe any specific threats to the system that are of concern to the organization;
8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
10. Provide an overview of the security and privacy requirements for the system;
11. Identify any relevant control baselines or overlays, if applicable;
12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
13. Include risk determinations for security and privacy architecture and design decisions;
14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and
15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; c. Review the plans [Assignment: organization-defined frequency]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification.

Similar

• Internal
  • ID: dec-c-35aa25a1

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 PL-2 System Security and Privacy Plans (L)(M)(H)
💼 FedRAMP Low Security Controls → 💼 PL-2 System Security and Privacy Plans (L)(M)(H)
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			31
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			3
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			10
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			23
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			24
💼 NIST CSF v2.0 → 💼 ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved			3

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 PL-2(1) System Security and Privacy Plans _ Concept of Operations
💼 PL-2(2) System Security and Privacy Plans _ Functional Architecture
💼 PL-2(3) System Security and Privacy Plans _ Plan and Coordinate with Other Organizational Entities