NIST 800-53 r5 · Controls catalogue · Family PM
PM-1Information Security Program Plan
Develop and disseminate an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; Reflects the coordination among organizational entities responsible for information security; and Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; Review and update the organization-wide information security program plan {{ insert: param, pm-01_odp.01 }} and following {{ insert: param, pm-01_odp.02 }} ; and Protect the information security program plan from unauthorized disclosure and modification.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Requiring protection of the program plan from unauthorized disclosure directly reduces exposure of sensitive security program details and control descriptions. |
CWE-284 | Improper Access Control | 4,832 | Mandating protection of the plan from unauthorized access and modification enforces access control on this organization-wide security governance artifact. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Treating the plan as a critical resource and requiring it to be protected from unauthorized modification or disclosure drives correct permission assignment. |
CWE-285 | Improper Authorization | 1,230 | The control requires authorization mechanisms and senior approval to prevent unauthorized viewing or alteration of the plan. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Explicit protection requirements make it harder for the plan document to remain accessible to external parties or unauthorized spheres. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||