A strict requirement for DoD - and all other federal contractors - is developing and implementing an Information Security Program Plan (ISSP). Per NIST SP 800-53, “An information security program plan documents implementation details about program management and common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended.”
Per PM-1 of NIST SP 8700-53, organizations are to “...Develop and disseminate an organization-wide information security program plan…”.
Key Elements of a Successful Information Security Program Program
A well-written ISSP document must contain descriptive information relating to all Program Management (PM) controls within the PM family as described in NIST SP 800-53. Specifically, the ISSP must provide detailed information for controls PM-1 to PM-32, including information for all control enhancements also.
How to Get Started
Start by downloading our Information Security Program Plan (ISSP) template at the Arlington Security Portal (ASP).
Arlington Can Help
We have years of experience working within the broader federal agency apparatus in helping federal contractors develop high-quality, well-written, policies and procedures and additional NIST RMF information security and privacy materials. Our NIST RMF information security and privacy policies, procedures, programs, and plans have been used by thousands of federal contractors in helping organizations develop customized documentation for their growing security and compliance needs.