Program Management (PM)¶

• a. Develop and disseminate an organization-wide information security program plan that:
  • 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
  • 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
  • 3. Reflects the coordination among organizational entities responsible for information security; and
  • 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
• b. Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
• c. Protect the information security program plan from unauthorized disclosure and modification.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;
• b. Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and
• c. Make available for expenditure, the planned information security and privacy resources.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
  • 1. Are developed and maintained;
  • 2. Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
  • 3. Are reported in accordance with established reporting requirements.
• b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop, monitor, and report on the results of information security and privacy measures of performance.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develops a comprehensive strategy to manage:
  • 1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
  • 2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information;
• b. Implement the risk management strategy consistently across the organization; and
• c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;
• b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
• c. Integrate the authorization processes into an organization-wide risk management program.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
• b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and
• c. Review and revise the mission and business processes [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish a security and privacy workforce development and improvement program.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:
  • 1. Are developed and maintained; and
  • 2. Continue to be executed; and
• b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish and institutionalize contact with selected groups and associations within the security and privacy communities:

• a. To facilitate ongoing security and privacy education and training for organizational personnel;
• b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and
• c. To share current security and privacy information, including threats, vulnerabilities, and incidents.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and
• b. Review and update the policy and procedures [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:
  • 1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;
  • 2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;
  • 3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;
  • 4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;
  • 5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and
  • 6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
• b. Update the plan [Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:

• a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;
• b. Ensures that organizational privacy practices and reports are publicly available; and
• c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:

• (a) Are written in plain language and organized in a way that is easy to understand and navigate;
• (b) Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and
• (c) Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:
  • 1. Date, nature, and purpose of each disclosure; and
  • 2. Name and address, or other contact information of the individual or organization to which the disclosure was made;
• b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and
• c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop and document organization-wide policies and procedures for:

• a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;
• b. Correcting or deleting inaccurate or outdated personally identifiable information;
• c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and
• d. Appeals of adverse decisions on correction or deletion requests.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish a Data Integrity Board to:

• a. Review proposals to conduct or participate in a matching program; and
• b. Conduct an annual review of all matching programs in which the agency has participated.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
• b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;
• c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and
• d. Review and update policies and procedures [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:

• a. Mechanisms that are easy to use and readily accessible by the public;
• b. All information necessary for successfully filing complaints;
• c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period];
• d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and
• e. Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop [Assignment: organization-defined privacy reports] and disseminate to:
  • 1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and
  • 2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and
• b. Review and update privacy reports [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Identify and document:
  • 1. Assumptions affecting risk assessments, risk responses, and risk monitoring;
  • 2. Constraints affecting risk assessments, risk responses, and risk monitoring;
  • 3. Priorities and trade-offs considered by the organization for managing risk; and
  • 4. Organizational risk tolerance;
• b. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and
• c. Review and update risk framing considerations [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and
• b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
• b. Implement the supply chain risk management strategy consistently across the organization; and
• c. Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

• a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics];
• b. Establishing [Assignment: organization-defined monitoring frequencies] and [Assignment: organization-defined assessment frequencies] for control effectiveness;
• c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
• d. Correlation and analysis of information generated by control assessments and monitoring;
• e. Response actions to address results of the analysis of control assessment and monitoring information; and
• f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Analyze [Assignment: organization-defined systems or system components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools