Security plans relate security requirements to a set of security controls and control enhancements.


The organization develops a security plan (PL001) for the information system that:

  1. Is consistent with the organization’s enterprise architecture
  2. Explicitly defines the authorization boundary for the system
  3. Describes the operational context of the information system in terms of missions and business processes
  4. Provides the security categorization of the information system including supporting rationale
  5. Describes the operational environment for the information system and relationships with or connections to other information systems
  6. Provides an overview of the security requirements for the system
  7. Identifies any relevant overlays, if applicable
  8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions
  9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation
  10. Distributes copies of the security plan and communicates subsequent changes to the plan to the information security team using Information Security Team Roster (PL002)
  11. Reviews the security plan for the information system on an annual basis
  12. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments
  13. Protects the security plan from unauthorized disclosure and modification.


The organization:

  1. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage
  2. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. The prior text shall be included in the Acceptable Use Agreement (PL003)
  3. Reviews and updates the rules of behavior annually
  4. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.


  • Quarterly Management Review (MR001) includes assessment of PL002 and PL003s
  • Annual Management Review (MR002) includes review of this policy and assessment of last Security Plan (PL001).