ARTIFACTS

PL: PLANNING

What's On This Page

Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.

Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.

The Source of the Artifacts

The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.

Essential Artifacts for Risk-Based Cybersecurity Programs

This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Planning (PL); and documents that are widely used in the assessment of controls and control enhancements in the Planning (PL) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.

CORE ARTIFACTS
WIDELY USED ARTIFACTS FOR PLANNING CONTROLS
PLANNING POLICY & PROCEDURES (PL)
Planning policy
Information system design documentation
Information system configuration settings and associated documentation
Information system audit records
Security Authorization Package Documents:
  • Security Plan
  • Security Assessment
  • Plan of Action and Milestones (POA&M)
ESSENTIALS
ACCESS CONTROL POLICY & PROCEDURES (AC)
Asset Inventory
AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU)
Configuration Management Plan
CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM)
Contingency Plan

  • Plans related to a comprehensive Contingency Plan:
    • Business Continuity Plans
    • Disaster Recovery Plans
    • Continuity of Operations Plans
    • Crisis Communications Plans
    • Critical Infrastructure Plans
    • Cyber Incident Response Plans
    • Insider Threat Implementation Plan
    • Occupant Emergency Plans
CONTINGENCY PLANNING POLICY & PROCEDURES (CP)
Continuous Monitoring Strategy
Continuous Monitoring Plan
Enterprise Architecture (EA)
IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA)
INCIDENT RESPONSE POLICY & PROCEDURES (IR)
INFORMATION SECURITY PROGRAM PLAN (PM)
MEDIA PROTECTION POLICY & PROCEDURES (MP)
PERSONNEL SECURITY POLICY & PROCEDURES (PS)
PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE)
Privacy Impact Assessment
Privacy Program Plan
Risk Assessment
RISK ASSESSMENT POLICY & PROCEDURES (RA)
SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA)
SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT)
Security Configurations
SECURITY PLANNING POLICY & PROCEDURES (PL)
SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC)
SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI)
SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA)
System Interconnection Agreements
SYSTEM MAINTENANCE POLICY & PROCEDURES (MA)

Policy & Procedures

Here you'll find a catalog of Planning (PL) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.

POLICES & PROCEDURES APPLICABLE
CONTROL(S)
Contingency planning policy PL-2 (3)
Planning POLICY & PROCEDURES PL-1
Procedures addressing information security architecture development PL-8
PL-8 (1)
PL-8 (2)
Procedures addressing information security architecture reviews and updates PL-8
Procedures addressing rules of behavior for information system users PL-4
PL-4 (1)
Procedures addressing security CONOPS development PL-7
Procedures addressing security CONOPS reviews and updates PL-7
Procedures addressing security plan development and implementation PL-2
PL-9
Procedures addressing security plan reviews and updates PL-2
Procedures addressing security-related activity planning for the information system PL-2 (3)

Evidence, Records & Artifacts

Here you'll find a catalog of Planning (PL) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.

ARTIFACT APPLICABLE
CONTROL(S)
Access control policy PL-2 (3)
Enterprise architecture documentation PL-2
PL-8
PL-8 (1)
PL-8 (2)
Information security architecture documentation PL-8
PL-8 (1)
PL-8 (2)
Information system design documentation PL-2 (3)
Records for rules of behavior reviews and updates PL-4
Records of information security architecture reviews and updates PL-8
Records of security CONOPS reviews and updates PL-7
Records of security plan reviews and updates PL-2
Rules of behavior PL-4
PL-4 (1)
Security CONOPS for the information system PL-7
Security CONOPS for the information system PL-8
PL-8 (1)
PL-8 (2)
Signed acknowledgements PL-4

Planning Related Lists

These are the Planning (PL) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.

LIST APPLICABLE
CONTROL(S)
THERE ARE NO PLANNING-SPECIFIC LISTS
Go to The List of Lists