PM-10: SECURITY AUTHORIZATION PROCESS
PROGRAM MANAGEMENT & INDUSTRIAL CONTROL SYSTEMS
ICS Control Baselines:
- Program Management is baseline independent.
- a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
- b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
- c. Fully integrates the security authorization processes into an organization-wide risk management program.
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation.
ICS SUPPLEMENTAL GUIDANCE
The authorization to operate processes for ICS involves multiple disciplines that have existing approval and risk management process (e.g., physical security, safety). Organization-wide risk management requires harmonization among these disciplines.
RELATED CONTROLS: PM-10
NO CONTROL ENHANCEMENTS
- NIST Special Publication 800-82
- NIST Special Publication 800-37
- NIST Special Publication 800-39