Skip to content

PL-8: Security and Privacy Architectures

An OSCAL Control

Statement

    • a.

      Develop security and privacy architectures for the system that:

      • 1.

        Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

      • 2.

        Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

      • 3.

        Describe how the architectures are integrated into and support the enterprise architecture; and

      • 4.

        Describe any assumptions about, and dependencies on, external systems and services;

    • b.

      Review and update the architectures to reflect changes in the enterprise architecture; and

    • c.

      Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

      • (b) Guidance:

        Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.