FedRAMP Controls / PL
PL-8 Security and Privacy Architectures
Family PL
Baselines moderate
Mapped KSIs 2
Control statement
a. Develop security and privacy architectures for the system that:
1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
3. Describe how the architectures are integrated into and support the enterprise architecture; and
4. Describe any assumptions about, and dependencies on, external systems and services;
b. Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and
c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.
(b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-PIY-04 | CISA Secure By Design _Persistently_ review the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles. | Policy and Inventory |
| KSI-SVC-01 | Continuous Improvement Implement improvements based on persistent evaluation of information resources for opportunities to improve security. | Service Configuration |