PM: Program Management

Controls

PM-1: Information Security Program Plan

Baseline(s):

(Not part of any baseline)

Develop and disseminate an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and…

PM-2: Information Security Program Leadership Role

Baseline(s):

(Not part of any baseline)

Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

PM-3: Information Security and Privacy Resources

Baseline(s):

  • Privacy

Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and Make available…

PM-4: Plan of Action and Milestones Process

Baseline(s):

  • Privacy

Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are developed and maintained; Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations,…

PM-5: System Inventory

Baseline(s):

(Not part of any baseline)

Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems.

PM-6: Measures of Performance

Baseline(s):

  • Privacy

Develop, monitor, and report on the results of information security and privacy measures of performance.

PM-7: Enterprise Architecture

Baseline(s):

  • Privacy

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

PM-8: Critical Infrastructure Plan

Baseline(s):

  • Privacy

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

PM-9: Risk Management Strategy

Baseline(s):

  • Privacy

Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and Privacy risk to individuals resulting from the authorized processing of personally identifiable information; Implement the risk management strategy consistently across the organization; and Review and update…

PM-10: Authorization Process

Baseline(s):

  • Privacy

Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and Integrate the authorization processes into an organization-wide risk management program.

PM-11: Mission and Business Process Definition

Baseline(s):

  • Privacy

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and Review and revise the mission and business processes…

PM-12: Insider Threat Program

Baseline(s):

(Not part of any baseline)

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

PM-14: Testing, Training, and Monitoring

Baseline(s):

  • Privacy

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and maintained; and Continue to be executed; and Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

PM-15: Security and Privacy Groups and Associations

Baseline(s):

(Not part of any baseline)

Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organizational personnel; To maintain currency with recommended security and privacy practices, techniques, and technologies; and To share current security and privacy information, including threats, vulnerabilities, and incidents.

PM-16: Threat Awareness Program

Baseline(s):

(Not part of any baseline)

Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.

PM-17: Protecting Controlled Unclassified Information on External Systems

Baseline(s):

  • Privacy

Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and Review and update the policy and procedures [Assignment: organization-defined frequency].

PM-18: Privacy Program Plan

Baseline(s):

  • Privacy

Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; Provides an overview of the requirements for the privacy program and a description of the privacy program management controls…

PM-19: Privacy Program Leadership Role

Baseline(s):

  • Privacy

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

PM-20: Dissemination of Privacy Program Information

Baseline(s):

  • Privacy

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; Ensures that organizational privacy practices and reports…

PM-21: Accounting of Disclosures

Baseline(s):

  • Privacy

Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: Date, nature, and purpose of each disclosure; and Name and address, or other contact information of the individual or organization to which the disclosure was made; Retain the accounting of disclosures for the length of the time the personally identifiable information is…

PM-22: Personally Identifiable Information Quality Management

Baseline(s):

  • Privacy

Develop and document organization-wide policies and procedures for: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; Correcting or deleting inaccurate or outdated personally identifiable information; Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and Appeals of adverse decisions on…

PM-23: Data Governance Body

Baseline(s):

(Not part of any baseline)

Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities].

PM-24: Data Integrity Board

Baseline(s):

  • Privacy

Establish a Data Integrity Board to: Review proposals to conduct or participate in a matching program; and Conduct an annual review of all matching programs in which the agency has participated.

PM-25: Minimization of Personally Identifiable Information Used in Testing, Training, and Research

Baseline(s):

  • Privacy

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; Authorize the use of personally identifiable information when such information is required for internal testing, training, and…

PM-26: Complaint Management

Baseline(s):

  • Privacy

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Mechanisms that are easy to use and readily accessible by the public; All information necessary for successfully filing complaints; Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment:…

PM-27: Privacy Reporting

Baseline(s):

  • Privacy

Develop [Assignment: organization-defined privacy reports] and disseminate to: [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and Review and update privacy reports [Assignment: organization-defined frequency].

PM-28: Risk Framing

Baseline(s):

  • Privacy

Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; Constraints affecting risk assessments, risk responses, and risk monitoring; Priorities and trade-offs considered by the organization for managing risk; and Organizational risk tolerance; Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and Review and update risk framing considerations [Assignment: organization-defined…

PM-29: Risk Management Program Leadership Roles

Baseline(s):

(Not part of any baseline)

Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

PM-30: Supply Chain Risk Management Strategy

Baseline(s):

(Not part of any baseline)

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; Implement the supply chain risk management strategy consistently across the organization; and Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational…

PM-31: Continuous Monitoring Strategy

Baseline(s):

  • Privacy

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; Correlation and analysis of…

PM-32: Purposing

Baseline(s):

(Not part of any baseline)

Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.