The NIST PM Security Control Family

The NIST PM control family is a set of security controls that were added to the NIST SP 800-53 catalog of controls in version 3. These controls are fundamental and foundational and need to be established early in the System Development Life Cycle (SDLC). They lay the groundwork for processes that are critical to information security and should be considered pre-requisites for other important security controls. The success of implementing effective security controls across the information system will depend upon the success of implementing these program management controls.

  • PM-1 – INFORMATION SECURITY PROGRAM PLAN – this control requires the development of an information security program plan that provides:
    • an overview of the requirements for the security program and a description of the management controls and the common controls
    • enough information about these controls to enable both an implementation of them that is compliant with the intent and a determination of the risk involved
    • roles, responsibilities, management functions, co-ordination across organizational units, and compliance
    • approval by a senior official with both responsibility and accountability for the risk involved
    • The plan must also be reviewed and revised as often as needed.

  • PM-3 – INFORMATION SECURITY RESOURCES – ensures that capital planning includes needed resources.
  • PM-4 – PLAN OF ACTION AND MILESTONES PROCESS – control CA-5 – Plan of Action and Milestones calls for a POAM and refers to 800-37. PM-4 simply calls for a process that ensures there will be POAMs. This control is related to PM-10 – SECURITY AUTHORIZATION PROCESS.
  • PM-5 – INFORMATION SYSTEM INVENTORY – an inventory of information systems is required by FISMA (public law). A component level inventory is called for by control CM-8 – Information System Component Inventory. Having an accurate inventory is an important prerequisite for Configuration Management and Risk Assessment.
  • PM-6 – INFORMATION SECURITY MEASURES OF PERFORMANCE – this control requires the use of metrics and refers to 800-55.
  • PM-7 – ENTERPRISE ARCHITECTURE – this control requires an architecture that can supply discipline and structure to managing the enterprise. It refers to 800-39 and FEA (Federal Enterprise Architecture). This control is related to PM-8 – CRITICAL INFRASTRUCTURE PLAN, PM-9 – RISK MANAGEMENT STRATEGY, and PM-11 – MISSION/BUSINESS PROCESS DEFINITION.
  • PM-8 – CRITICAL INFRASTRUCTURE PLAN – critical infrastructure and key resources must be identified and protected. This control is strongly related to PM-11 – MISSION/BUSINESS PROCESS DEFINITION and PM-9 – RISK MANAGEMENT STRATEGY.
  • PM-9 – RISK MANAGEMENT STRATEGY – a consistent, organization-wide risk management strategy defines a methodology for assessing risk, sets the level of risk tolerance, establishes a strategy for mitigation and monitoring. This control supports RA-3 – Risk Assessment and references 800-30 and 800-39. An important pre-requisite is PM-11 – MISSION/BUSINESS PROCESS DEFINITION.
  • PM-10 – SECURITY AUTHORIZATION PROCESS – this control supports CA-6 – Security Authorization in establishing an authorization process and references 800-37 and 800-39.
  • PM-11 – MISSION/BUSINESS PROCESS DEFINITION – mission and business processes define information protection needs that determine security controls. Risk tolerance is defined based on these definitions, making this control a pre-requisite to PM-9 – RISK MANAGEMENT STRATEGY. PM-11 is also a pre-requisite to RA-2 – Security Categorization, and references 800-60.

Overview (of NIST based defense)
SDLC Framework
Security Control Matrix

NIST SP 800 series documents:

  • 800-30 Guide for Conducting Risk Assessments
  • 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  • 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
  • 800-55 Performance Measurement Guide for Information Security
  • 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories

Comments are closed.