PL-2—System Security and Privacy Plans

>Control Description

Develop security and privacy plans for the system that:

Are consistent with the organization's enterprise architecture;

Explicitly define the constituent system components;

Describe the operational context of the system in terms of mission and business processes;

Identify the individuals that fulfill system roles and responsibilities;

Identify the information types processed, stored, and transmitted by the system;

Provide the security categorization of the system, including supporting rationale;

Describe any specific threats to the system that are of concern to the organization;

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

10.

Provide an overview of the security and privacy requirements for the system;

11.

Identify any relevant control baselines or overlays, if applicable;

12.

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

13.

Include risk determinations for security and privacy architecture and design decisions;

14.

Include security- and privacy-related activities affecting the system that require planning and coordination with ⚙organization-defined individuals or groups; and

15.

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

Distribute copies of the plans and communicate subsequent changes to the plans to ⚙organization-defined personnel or roles;

Review the plans ⚙organization-defined frequency;

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

Protect the plans from unauthorized disclosure and modification.