PL-2 - System Security and Privacy Plans

a. Develop security and privacy plans for the system that: 1. Are consistent with the organization’s enterprise architecture; 2. Explicitly define the constituent system components; 3. Describe the operational context of the system in terms of mission and business processes; 4. Identify the individuals that fulfill system roles and responsibilities; 5. Identify the information types processed, stored, and transmitted by the system; 6. Provide the security categorization of the system, including supporting rationale; 7. Describe any specific threats to the system that are of concern to the organization; 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. Provide an overview of the security and privacy requirements for the system; 11. Identify any relevant control baselines or overlays, if applicable; 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. Include risk determinations for security and privacy architecture and design decisions; 14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; c. Review the plans [Assignment: organization-defined frequency]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification.

Informational References

ISO 27001

ID: PL-2

Countermeasures Covered by Control

ID Name Description D3FEND

Space Threats Tagged by Control

ID Description
SV-MA-6 Not planning for security on SV or designing in security from the beginning

Sample Requirements

The Program shall develop a security plan for the spacecraft. {SV-MA-6} {PL-2}
The Program shall protect the security plan from unauthorized disclosure and modification. {SV-MA-6} {PL-2}
The Program shall plan and coordinate security-related activities affecting the spacecraft with groups associated with systems from which the spacecraft is inheriting satisfaction of controls before conducting such activities in order to reduce the impact on other organizational entities. {SV-MA-6} {PL-2}

Related SPARTA Techniques and Sub-Techniques

ID Name Description