Program Management
NIST SP 800-53 Rev 5 Program Management controls.
Information Security Program Plan
Develop and disseminate an organization-wide information security program plan that:
Information Security Program Leadership Role
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
Information Security and Privacy Resources
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;
Plan of Action and Milestones Process
Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
System Inventory
Develop and update [parameter] an inventory of organizational systems.
Measures of Performance
Develop, monitor, and report on the results of information security and privacy measures of performance.
Enterprise Architecture
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
Critical Infrastructure Plan
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Risk Management Strategy
Develops a comprehensive strategy to manage:
Authorization Process
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;
Mission and Business Process Definition
Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
Insider Threat Program
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
Security and Privacy Workforce
Establish a security and privacy workforce development and improvement program.
Testing, Training, and Monitoring
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:
Security and Privacy Groups and Associations
Establish and institutionalize contact with selected groups and associations within the security and privacy communities:
Threat Awareness Program
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
Protecting Controlled Unclassified Information on External Systems
Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and
Privacy Program Plan
Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:
Privacy Program Leadership Role
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.
Dissemination of Privacy Program Information
Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:
Accounting of Disclosures
Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:
Personally Identifiable Information Quality Management
Develop and document organization-wide policies and procedures for:
Data Governance Body
Establish a Data Governance Body consisting of [parameter] with [parameter].
Data Integrity Board
Establish a Data Integrity Board to:
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
Complaint Management
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:
Privacy Reporting
Develop [parameter] and disseminate to:
Risk Framing
Identify and document:
Risk Management Program Leadership Roles
Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and
Supply Chain Risk Management Strategy
Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
Continuous Monitoring Strategy
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
Purposing
Analyze [parameter] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.