CoreOS 4.x - Planning

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
PL-1 Security Planning Policy And Procedures

not applicable

PL-2 System Security Plan

not applicable

PL-2 (1) Concept Of Operations

not applicable

PL-2 (2) Functional Architecture

not applicable

PL-2 (3) Plan / Coordinate With Other Organizational Entities

not applicable

PL-3 System Security Plan Update

not applicable

PL-4 Rules Of Behavior

not applicable

PL-4 (1) Social Media And Networking Restrictions

not applicable

PL-5 Privacy Impact Assessment

not applicable

PL-6 Security-Related Activity Planning

not applicable

PL-7 Security Concept Of Operations

not applicable

PL-8 Information Security Architecture

not applicable

PL-8 (1) Defense-In-Depth

not applicable

PL-8 (2) Supplier Diversity

not applicable

PL-9 Central Management

not applicable




PL-1: Security Planning Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and b. Reviews and updates the current: 1. Security planning policy [Assignment: organization-defined frequency]; and 2. Security planning procedures [Assignment: organization-defined frequency].

PL-1 Control Response Information
Implementation Status:

not applicable

PL-1: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




PL-2: System Security Plan

The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization�s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification.

PL-2 Control Response Information
Implementation Status:

not applicable

PL-2: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




PL-2 (1): Concept Of Operations

“[Withdrawn: Incorporated into PL-7].”

PL-2 (1) Control Response Information
Implementation Status:

not applicable

PL-2 (1): What is the solution and how is it implemented?

‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PL-7.’




PL-2 (2): Functional Architecture

“[Withdrawn: Incorporated into PL-8].”

PL-2 (2) Control Response Information
Implementation Status:

not applicable

PL-2 (2): What is the solution and how is it implemented?

‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PL-8.’




PL-2 (3): Plan / Coordinate With Other Organizational Entities

“The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.”

PL-2 (3) Control Response Information
Implementation Status:

not applicable

PL-2 (3): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




PL-3: System Security Plan Update

“[Withdrawn: Incorporated into PL-2].”

PL-3 Control Response Information
Implementation Status:

not applicable

PL-3: What is the solution and how is it implemented?

‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PL-2.’




PL-4: Rules Of Behavior

The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

PL-4 Control Response Information
Implementation Status:

not applicable

PL-4: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




PL-4 (1): Social Media And Networking Restrictions

“The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.”

PL-4 (1) Control Response Information
Implementation Status:

not applicable

PL-4 (1): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




PL-5: Privacy Impact Assessment

“[Withdrawn: Incorporated into Appendix J, AR-2].”

PL-5 Control Response Information
Implementation Status: