PL-02 System Security and Privacy Plans
a. Develop security and privacy plans for the system that:
1. Are consistent with the organization’s enterprise architecture;
2. Explicitly define the constituent system components;
3. Describe the operational context of the system in terms of mission and business processes;
4. Identify the individuals that fulfill system roles and responsibilities;
5. Identify the information types processed, stored, and transmitted by the system;
6. Provide the security categorization of the system, including supporting rationale;
7. Describe any specific threats to the system that are of concern to the organization;
8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
10. Provide an overview of the security and privacy requirements for the system;
11. Identify any relevant control baselines or overlays, if applicable;
12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
13. Include risk determinations for security and privacy architecture and design decisions;
14. Include security- and privacy-related activities affecting the system that require planning and coordination with pl-02_odp.01 ; and
15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
b. Distribute copies of the plans and communicate subsequent changes to the plans to pl-02_odp.02;
c. Review the plans pl-02_odp.03;
d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
e. Protect the plans from unauthorized disclosure and modification.
|pl-02_odp.01||individuals or groups|
|pl-02_odp.02||personnel or roles|
System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.
Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.
Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.
Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-18 Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1.
- SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
- SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
- SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
Control Enhancements 3
- PL-02(01) Concept of Operations
- PL-02(02) Functional Architecture
- PL-02(03) Plan and Coordinate with Other Organizational Entities
Related controls 37
- AC-02 Account Management L M H P
- AC-06 Least Privilege L M H P
- AC-14 Permitted Actions Without Identification or Authentication L M H P
- AC-17 Remote Access L M H P
- AC-20 Use of External Systems L M H P
- CA-02 Control Assessments L M H P
- CA-03 Information Exchange L M H P
- CA-07 Continuous Monitoring L M H P
- CM-09 Configuration Management Plan L M H P
- CM-13 Data Action Mapping L M H P
- CP-02 Contingency Plan L M H P
- CP-04 Contingency Plan Testing L M H P
- IR-04 Incident Handling L M H P
- IR-08 Incident Response Plan L M H P
- MA-04 Nonlocal Maintenance L M H P
- MA-05 Maintenance Personnel L M H P
- MP-04 Media Storage L M H P
- MP-05 Media Transport L M H P
- PL-07 Concept of Operations L M H P
- PL-08 Security and Privacy Architectures L M H P
- PL-10 Baseline Selection L M H P
- PL-11 Baseline Tailoring L M H P
- PM-01 Information Security Program Plan L M H P
- PM-07 Enterprise Architecture L M H P
- PM-08 Critical Infrastructure Plan L M H P
- PM-09 Risk Management Strategy L M H P
- PM-10 Authorization Process L M H P
- PM-11 Mission and Business Process Definition L M H P
- RA-03 Risk Assessment L M H P
- RA-08 Privacy Impact Assessments L M H P
- RA-09 Criticality Analysis L M H P
- SA-05 System Documentation L M H P
- SA-17 Developer Security and Privacy Architecture and Design L M H P
- SA-22 Unsupported System Components L M H P
- SI-12 Information Management and Retention L M H P
- SR-02 Supply Chain Risk Management Plan L M H P
- SR-04 Provenance L M H P