ARTIFACTS
PM: PROGRAM MANAGEMENT
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Program Management (PM); and documents that are widely used in the assessment of controls and control enhancements in the Program Management (PM) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS | WIDELY USED ARTIFACTS FOR PROGRAM MANAGEMENT |
| PROGRAM MANAGEMENT POLICY & PROCEDURES (PM) |
| Program Management policy |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of Program Management (PM) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Organizational procedures addressing development and maintenance of plans for conducting security testing, training, and monitoring activities | PM-14 |
| Procedures addressing coordination of the program plan with relevant entities | PM-1 PM-2 |
| Procedures addressing development, documentation, and updating of the critical infrastructure and key resources protection plan | PM-8 |
| Procedures addressing development, implementation, review, and update of the risk management strategy | PM-9 |
| Procedures addressing development, monitoring, and reporting of information security measures of performance | PM-6 |
| Procedures addressing enterprise architecture development | PM-7 |
| Procedures addressing information system inventory development and maintenance | PM-5 |
| Procedures addressing management (i.e., documentation, tracking, and reporting) of the security authorization process | PM-10 |
| Procedures addressing plans of action and milestones development and maintenance | PM-4 |
| Procedures addressing plans of action and milestones reporting | PM-4 |
| Procedures addressing program plan development and implementation | PM-1 PM-2 |
| Procedures addressing program plan reviews and updates | PM-1 PM-2 |
| Procedures for capital planning and investment | PM-3 |
| Procedures for contacts with security groups and associations | PM-15 |
| Procedures for determining mission/business protection needs | PM-11 |
| Procedures for program plan approvals | PM-1 |
| Procedures for review of plans for conducting security testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities | PM-14 |
| Procedures for review of plans of action and milestones for consistency with risk management strategy and risk response priorities | PM-4 |
| Procedures for the information security workforce development and improvement program | PM-13 |
| Procedures for the insider threat program | PM-12 |
| Procedures for the threat awareness program | PM-16 |
Evidence, Records & Artifacts
Here you'll find a catalog of Program Management related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Business cases for capital planning and investment | PM-3 |
| Critical infrastructure and key resources protection plan | PM-8 |
| Documentation of exceptions to capital planning requirements | PM-3 |
| Enterprise architecture documentation | PM-7 |
| Evidence of established and institutionalized contact with security groups and associations | PM-15 |
| Evidence that plans for conducting security testing, training, and monitoring activities are executed in a timely manner | PM-14 |
| Exhibits 300 (Capital Asset Plan) | PM-3 |
| Exhibits 53 (Agency IT Investment Portfolio) | PM-3 |
| HSPD 7 (Homeland Security Presidential Directive No. 7) | PM-8 |
| Information security measures of performance | PM-6 |
| Information security workforce development and improvement program documentation | PM-13 |
| Information system inventory | PM-5 |
| Insider threat program documentation | PM-12 |
| National Infrastructure Protection Plan | PM-8 |
| OMB FISMA reporting guidance | PM-5 |
| OMB FISMA reporting requirements | PM-4 |
| Organizational risk management strategy | PM-10 |
| Plans for conducting security testing, training, and monitoring activities | PM-14 |
| Plans of action and milestones | PM-4 |
| Records of program plan reviews and updates | PM-1 |
| Results of risk assessment of enterprise architecture | PM-7 |
| Results of risk assessments associated with conducting security testing, training, and monitoring activities | PM-14 |
| Results of risk assessments associated with plans of action and milestones | PM-4 |
| Risk assessment results relevant to determination of mission/business protection needs | PM-11 |
| Risk assessment results relevant to insider threats | PM-12 |
| Risk assessment results relevant to the risk management strategy | PM-9 |
| Risk assessment results relevant to the security authorization process and the organization-wide risk management program | PM-10 |
| Risk assessment results relevant to threat awareness | PM-16 |
| Risk management strategy | PM-9 PM-11 PM-14 PM-15 |
| Security authorization documents | PM-10 |
| Threat awareness program documentation | PM-16 |
Program Management Related Lists
These are the Program Management (PM) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| List or other documentation on the cross-discipline insider threat incident handling team | PM-12 |
| List or other documentation on the cross-organization information-sharing capability | PM-16 |
| Lists or other documentation about contact with and/or membership in security groups and associations | PM-15 |
| Lists or other documentation about security authorization process roles and responsibilities | PM-10 |