PL-7: SECURITY CONCEPT OF OPERATIONS
TAILORED FOR INDUSTRIAL CONTROL SYSTEMS
ICS Control Baselines:
- Moderate (ADDED)
- a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
- b. Reviews and updates the CONOPS [Assignment: organization-defined frequency].
The security CONOPS may be included in the security plan for the information system or in other system development life cycle-related documents, as appropriate. Changes to the CONOPS are reflected in ongoing updates to the security plan, the information security architecture, and other appropriate organizational documents (e.g., security specifications for procurements/acquisitions, system development life cycle documents, and systems/security engineering documents).
ICS SUPPLEMENTAL GUIDANCE
No ICS Supplemental Guidance.
Rationale for adding PL-7 to moderate and high baselines: ICS are complex systems. Organizations typically employ a CONOPS to help define a system and share that understanding with personnel involved with that system and other systems with which it interacts. A CONOPS often helps identify information protection requirements.
RELATED CONTROLS: PL-7
NO CONTROL ENHANCEMENTS
- NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY