PM – Program Management

The RMF Control Family PM, Program Management, addresses the need for organizations to have a program in place to manage the security of their information systems. This program should include a risk management process, a security awareness program, and a continuous monitoring program.

Controls in the PM Security Control Family

The PM Security Control Family includes the following controls:

  • PM-1: Information Security Program Plan: This control requires organizations to develop and implement an information security program plan. This plan should define the roles and responsibilities for information security, and the process for managing the security of information systems.
  • PM-2: Senior Information Security Officer: This control requires organizations to appoint a senior information security officer (CISO) to be responsible for the overall security of the organization’s information systems.
  • PM-3: Information Security Resources: This control requires organizations to allocate adequate resources to the information security program.
  • PM-4: Plan of Action and Milestones Process: This control requires organizations to develop a plan of action and milestones (POAM) for implementing the information security program.
  • PM-5: Information System Inventory: This control requires organizations to maintain an inventory of their information systems.
  • PM-6: Information Security Measures of Performance: This control requires organizations to develop and implement measures of performance to assess the effectiveness of the information security program.
  • PM-7: Enterprise Architecture: This control requires organizations to develop and maintain an enterprise architecture that includes the organization’s information systems and the security controls that protect those systems.
  • PM-8: Critical Infrastructure Plan: This control requires organizations that are designated as critical infrastructure to develop and implement a critical infrastructure plan.
  • PM-9: Risk Management Process: This control requires organizations to implement a risk management process to identify, assess, and manage the risks to their information systems.
  • PM-10: Security Awareness Program: This control requires organizations to implement a security awareness program to educate employees about information security best practices.
  • PM-11: Continuous Monitoring Program: This control requires organizations to implement a continuous monitoring program to detect and respond to security incidents.

Benefits of Implementing the PM Security Control Family

There are a number of benefits to implementing the PM Security Control Family, including:

  • Improved security: The PM Security Control Family helps to improve the security of information systems by ensuring that organizations have a program in place to manage security. This program can help to identify and mitigate security risks, and to respond to security incidents quickly and effectively.
  • Reduced risk: The PM Security Control Family helps to reduce the risk of security incidents by ensuring that organizations have a program in place to manage security. This program can help to prevent security incidents from occurring, and to minimize the impact of security incidents that do occur.
  • Compliance: The PM Security Control Family can help organizations comply with applicable laws and regulations, such as the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA).
  • Increased trust: By implementing the PM Security Control Family, organizations can demonstrate to their customers and partners that they are taking steps to protect their information.

How to Implement the PM Security Control Family

To implement the PM Security Control Family, organizations should follow these steps:

  1. Develop an information security program plan. This plan should define the roles and responsibilities for information security, and the process for managing the security of information systems.
  2. Appoint a senior information security officer (CISO) to be responsible for the overall security of the organization’s information systems.
  3. Allocate adequate resources to the information security program.
  4. Develop a plan of action and milestones (POAM) for implementing the information security program.
  5. Maintain an inventory of your information systems.
  6. Develop and implement measures of performance to assess the effectiveness of the information security program.
  7. Develop and maintain an enterprise architecture that includes the organization’s information systems and the security controls that protect those systems.
  8. Develop and implement a critical infrastructure plan, if required.
  9. Implement a risk management process to identify, assess, and manage the risks to your information systems.
  10. Implement a security awareness program