PL: Planning

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and Reviews and updates the current: Security planning policy…

The organization: Develops a security plan for the information system that: Is consistent with the organization’s enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational…

The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before…

The organization: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and Reviews and updates the CONOPS [Assignment: organization-defined frequency].

The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about,…

The organization centrally manages [Assignment: organization-defined security controls and related processes].