Red Hat Virtualization Host - Planning

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
PL-1 Security Planning Policy And Procedures

not applicable

PL-2 System Security Plan

not applicable

PL-2 (1) Concept Of Operations
PL-2 (2) Functional Architecture
PL-2 (3) Plan / Coordinate With Other Organizational Entities
PL-3 System Security Plan Update
PL-4 Rules Of Behavior

not applicable

PL-4 (1) Social Media And Networking Restrictions
PL-5 Privacy Impact Assessment
PL-6 Security-Related Activity Planning
PL-7 Security Concept Of Operations
PL-8 Information Security Architecture
PL-8 (1) Defense-In-Depth
PL-8 (2) Supplier Diversity
PL-9 Central Management



PL-1: Security Planning Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and b. Reviews and updates the current: 1. Security planning policy [Assignment: organization-defined frequency]; and 2. Security planning procedures [Assignment: organization-defined frequency].

PL-1 Control Response Information
Implementation Status:

not applicable

PL-1: What is the solution and how is it implemented?
PL-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PL-2: System Security Plan

The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization�s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification.

PL-2 Control Response Information
Implementation Status:

not applicable

PL-2: What is the solution and how is it implemented?
PL-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-2(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-2(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PL-2 (1): Concept Of Operations

“[Withdrawn: Incorporated into PL-7].”

PL-2 (1) Control Response Information
Implementation Status:
PL-2 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-2 (2): Functional Architecture

“[Withdrawn: Incorporated into PL-8].”

PL-2 (2) Control Response Information
Implementation Status:
PL-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-2 (3): Plan / Coordinate With Other Organizational Entities

“The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.”

PL-2 (3) Control Response Information
Implementation Status:
PL-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-3: System Security Plan Update

“[Withdrawn: Incorporated into PL-2].”

PL-3 Control Response Information
Implementation Status:
PL-3: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-4: Rules Of Behavior

The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

PL-4 Control Response Information
Implementation Status:

not applicable

PL-4: What is the solution and how is it implemented?
PL-4(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-4(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-4(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PL-4(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PL-4 (1): Social Media And Networking Restrictions

“The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.”

PL-4 (1) Control Response Information
Implementation Status:
PL-4 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-5: Privacy Impact Assessment

“[Withdrawn: Incorporated into Appendix J, AR-2].”

PL-5 Control Response Information
Implementation Status:
PL-5: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-6: Security-Related Activity Planning

“[Withdrawn: Incorporated into PL-2].”

PL-6 Control Response Information
Implementation Status:
PL-6: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-7: Security Concept Of Operations

The organization: a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and b. Reviews and updates the CONOPS [Assignment: organization-defined frequency].

PL-7 Control Response Information
Implementation Status:
PL-7: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-8: Information Security Architecture

The organization: a. Develops an information security architecture for the information system that: 1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; 2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and 3. Describes any information security assumptions about, and dependencies on, external services; b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

PL-8 Control Response Information
Implementation Status:
PL-8: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-8 (1): Defense-In-Depth

The organization designs its security architecture using a defense-in-depth approach that: (1)(a). Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and (1)(b). Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.

PL-8 (1) Control Response Information
Implementation Status:
PL-8 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-8 (2): Supplier Diversity

“The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.”

PL-8 (2) Control Response Information
Implementation Status:
PL-8 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PL-9: Central Management

“The organization centrally manages [Assignment: organization-defined security controls and related processes].”

PL-9 Control Response Information
Implementation Status:
PL-9: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.