Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
pl
planning
PL-1
Security planning
policy and
procedures
The organization develops,
disseminates, and periodically
reviews/updates: (i) a formal,
documented security planning
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the security planning policy and
associated security planning
controls.
PL-2
System security plan
The organization develops and
implements a security plan for the
information system that provides
an overview of the security
requirements for the system and a
description of the security
controls in place or planned for
meeting those requirements.
Designated officials within the
organization review and approve
the plan.
PL-3
System security plan
update
The organization reviews the
security plan for the information
system [assignment: organization-
defined frequency, at least
annually] and revises the plan to
address system/organizational
changes or problems identified
during plan implementation or
security control assessments.
