CoreOS 4.x - Planning

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
PL-1 Security Planning Policy And Procedures

not applicable

PL-2 System Security Plan

not applicable

PL-2 (1) Concept Of Operations

not applicable

PL-2 (2) Functional Architecture

not applicable

PL-2 (3) Plan / Coordinate With Other Organizational Entities

not applicable

PL-3 System Security Plan Update

not applicable

PL-4 Rules Of Behavior

not applicable

PL-4 (1) Social Media And Networking Restrictions

not applicable

PL-5 Privacy Impact Assessment

not applicable

PL-6 Security-Related Activity Planning

not applicable

PL-7 Security Concept Of Operations

not applicable

PL-8 Information Security Architecture

not applicable

PL-8 (1) Defense-In-Depth

not applicable

PL-8 (2) Supplier Diversity

not applicable

PL-9 Central Management

not applicable




PL-1: Security Planning Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and b. Reviews and updates the current: 1. Security planning policy [Assignment: organization-defined frequency]; and 2. Security planning procedures [Assignment: organization-defined frequency].

PL-1 Control Response Information
Implementation Status:

not applicable

PL-1: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




PL-2: System Security Plan

The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization�s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification.

PL-2 Control Response Information
Implementation Status: