Controls in the program management family are foundational and are an implicit part of all baselines.
The organization: Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational…
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
The organization: Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and Ensures that information security resources are available for expenditure as planned.
The organization: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are developed and maintained; Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with OMB…
The organization develops and maintains an inventory of its information systems.
The organization develops, monitors, and reports on the results of information security measures of performance.
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; Implements the risk management strategy consistently across the organization; and Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational…
The organization: Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes; Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and Fully integrates the security authorization processes into an organization-wide risk management program.
The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.
The organization establishes an information security workforce development and improvement program.
The organization: Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are developed and maintained; and Continue to be executed in a timely manner; Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk…
The organization establishes and institutionalizes contact with selected groups and associations within the security community: To facilitate ongoing security education and training for organizational personnel; To maintain currency with recommended security practices, techniques, and technologies; and To share current security-related information including threats, vulnerabilities, and incidents.
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.