Red Hat Virtualization Manager - Planning
Control responses for NIST 800-53 rev4.
Requirements Traceability Matrix
| Control | Name | Status |
|---|---|---|
| PL-1 | Security Planning Policy And Procedures |
not applicable |
| PL-2 | System Security Plan |
not applicable |
| PL-2 (1) | Concept Of Operations |
not applicable |
| PL-2 (2) | Functional Architecture |
not applicable |
| PL-2 (3) | Plan / Coordinate With Other Organizational Entities |
not applicable |
| PL-3 | System Security Plan Update |
not applicable |
| PL-4 | Rules Of Behavior |
not applicable |
| PL-4 (1) | Social Media And Networking Restrictions |
not applicable |
| PL-5 | Privacy Impact Assessment |
not applicable |
| PL-6 | Security-Related Activity Planning |
not applicable |
| PL-7 | Security Concept Of Operations |
not applicable |
| PL-8 | Information Security Architecture |
not applicable |
| PL-8 (1) | Defense-In-Depth |
not applicable |
| PL-8 (2) | Supplier Diversity |
not applicable |
| PL-9 | Central Management |
not applicable |
PL-1: Security Planning Policy And Procedures
The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and b. Reviews and updates the current: 1. Security planning policy [Assignment: organization-defined frequency]; and 2. Security planning procedures [Assignment: organization-defined frequency].
|
|
|---|
|
Implementation Status:
not applicable |
| PL-1: What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-2: System Security Plan
The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization�s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification.
|
|
|---|
|
Implementation Status:
not applicable |
| PL-2: What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-2 (1): Concept Of Operations
“[Withdrawn: Incorporated into PL-7].”
|
|
|---|
|
Implementation Status:
not applicable |
| PL-2 (1): What is the solution and how is it implemented? |
|---|
|
‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PL-7.’ |
PL-2 (2): Functional Architecture
“[Withdrawn: Incorporated into PL-8].”
|
|
|---|
|
Implementation Status:
not applicable |
| PL-2 (2): What is the solution and how is it implemented? |
|---|
|
‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PL-8.’ |
PL-2 (3): Plan / Coordinate With Other Organizational Entities
“The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.”
|
|
|---|
|
Implementation Status:
not applicable |
| PL-2 (3): What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-3: System Security Plan Update
“[Withdrawn: Incorporated into PL-2].”
|
|
|---|
|
Implementation Status:
not applicable |
| PL-3: What is the solution and how is it implemented? |
|---|
|
‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PL-2.’ |
PL-4: Rules Of Behavior
The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
|
|
|---|
|
Implementation Status:
not applicable |
| PL-4: What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-4 (1): Social Media And Networking Restrictions
“The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.”
|
|
|---|
|
Implementation Status:
not applicable |
| PL-4 (1): What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-5: Privacy Impact Assessment
“[Withdrawn: Incorporated into Appendix J, AR-2].”
|
|
|---|
|
Implementation Status:
not applicable |
| PL-5: What is the solution and how is it implemented? |
|---|
|
‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into Appendix J, AR-2.’ |
PL-6: Security-Related Activity Planning
“[Withdrawn: Incorporated into PL-2].”
|
|
|---|
|
Implementation Status:
not applicable |
| PL-6: What is the solution and how is it implemented? |
|---|
|
‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PL-2.’ |
PL-7: Security Concept Of Operations
The organization: a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and b. Reviews and updates the CONOPS [Assignment: organization-defined frequency].
|
|
|---|
|
Implementation Status:
not applicable |
| PL-7: What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-8: Information Security Architecture
The organization: a. Develops an information security architecture for the information system that: 1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; 2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and 3. Describes any information security assumptions about, and dependencies on, external services; b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
|
|
|---|
|
Implementation Status:
not applicable |
| PL-8: What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-8 (1): Defense-In-Depth
The organization designs its security architecture using a defense-in-depth approach that: (1)(a). Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and (1)(b). Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.
|
|
|---|
|
Implementation Status:
not applicable |
| PL-8 (1): What is the solution and how is it implemented? |
|---|
|
‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’ |
PL-8 (2): Supplier Diversity
“The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.”
|
|
|---|
| Implementation Status: |