03.15.01: Policy and Procedures

Control Familly: Planning

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-12 [61]

  • SP 800-100 [62]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.15.01

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • AC-01

  • AT-01

  • AU-01

  • CA-01

  • CM-01

  • IA-01

  • IR-01

  • MA-01

  • MP-01

  • PE-01

  • PL-01

  • PS-01

  • RA-01

  • SA-01

  • SC-01

  • SI-01

  • SR-01

a. Develop, document, and disseminate to organizational personnel or roles the policies and procedures needed to satisfy the security requirements for the protection of CUI.

b. Review and update policies and procedures [Assignment: organization-defined frequency].

Discussion:

This requirement addresses policies and procedures for the protection of CUI. Policies and procedures contribute to security assurance and should address each family of the CUI security requirements. Policies can be included as part of the organizational security policy or be represented by separate policies that address each family of security requirements. Procedures describe how policies are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security plans or in one or more separate documents.

Assessment Methods and Objectives

Examine [SELECT FROM: security policies and procedures associated with the protection of CUI; audit findings; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with information security responsibilities]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.15.01.ODP[01]: the frequency at which the policies and procedures for satisfying security requirements are reviewed and updated is defined.

A.03.15.01.a[01]: policies needed to satisfy the security requirements for the protection of CUI are developed and documented.

A.03.15.01.a[02]: policies needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.

A.03.15.01.a[03]: procedures needed to satisfy the security requirements for the protection of CUI are developed and documented.

A.03.15.01.a[04]: procedures needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.

A.03.15.01.b[01]: policies and procedures are reviewed <A.03.15.01.ODP[01]: frequency>.

A.03.15.01.b[02]: policies and procedures are updated <A.03.15.01.ODP[01]: frequency>.