Establish, implement, and maintain a planning policy.
CONTROL ID 14673
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a strategic plan., CC ID: 12784
This Control has the following implementation support Control(s):
Establish, implement, and maintain planning procedures., CC ID: 14698
Disseminate and communicate the planning policy to interested personnel and affected parties., CC ID: 14691
Include compliance requirements in the planning policy., CC ID: 14688
Include coordination amongst entities in the planning policy., CC ID: 14687
Include management commitment in the planning policy., CC ID: 14686
Include roles and responsibilities in the planning policy., CC ID: 14685
Include the scope in the planning policy., CC ID: 14684
Include the purpose in the planning policy., CC ID: 14683
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., FedRAMP Security Controls High Baseline, Version 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), FedRAMP Security Controls High Baseline, Version 5)
Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (PL-1c.1., FedRAMP Security Controls High Baseline, Version 5)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), FedRAMP Security Controls Low Baseline, Version 5)
Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (PL-1c.1., FedRAMP Security Controls Low Baseline, Version 5)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (PL-1c.1., FedRAMP Security Controls Moderate Baseline, Version 5)
Policies every three (3) years (or if there is a significant change); and (PL-1 c.1., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
An agency or organization-level planning policy that: (PL-1 a.1, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
Is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and (PL-1 a.1.(b), Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
[Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: (PL-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PL-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PL-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)