NIST 800-53 r5 · Controls catalogue · Family PL
PL-2System Security and Privacy Plans
Develop security and privacy plans for the system that: Are consistent with the organization’s enterprise architecture; Explicitly define the constituent system components; Describe the operational context of the system in terms of mission and business processes; Identify the individuals that fulfill system roles and responsibilities; Identify the information types processed, stored, and transmitted by the system; Provide the security categorization of the system, including supporting rationale; Describe any specific threats to the system that are of concern to the organization; Provide the results of a privacy risk assessment for systems processing personally identifiable information; Describe the operational environment for the system and any dependencies on or connections to other systems or system components; Provide an overview of the security and privacy requirements for the system; Identify any relevant control baselines or overlays, if applicable; Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; Include risk determinations for security and privacy architecture and design decisions; Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }}; Review the plans {{ insert: param, pl-02_odp.03 }}; Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and Protect the plans from unauthorized disclosure and modification.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Requires explicit protection of plans from unauthorized disclosure, directly reducing exposure of sensitive system and privacy information contained in them. |
CWE-284 | Improper Access Control | 4,832 | Mandates defining roles/responsibilities, security categorization, and controls (including authorization) while protecting plans from unauthorized modification. |
CWE-285 | Improper Authorization | 1,230 | Requires describing authorization-related controls, roles, and risk determinations to ensure proper enforcement of access decisions. |
CWE-693 | Protection Mechanism Failure | 476 | Requires documenting controls planned or in place to meet requirements plus rationale, reducing the chance that protection mechanisms are missing or ineffective due to poor planning. |
CWE-657 | Violation of Secure Design Principles | 19 | Requires risk determinations for architecture/design decisions, tailoring rationale, and alignment with enterprise architecture to avoid violations of secure design principles. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||