An OSCAL Control
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8 , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework SP 800-37 and supporting security standards and guidelines.
an enterprise architecture is developed with consideration for information security;
an enterprise architecture is maintained with consideration for information security;
an enterprise architecture is developed with consideration for privacy;
an enterprise architecture is maintained with consideration for privacy;
an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;
an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
Information security program plan
privacy program plan
enterprise architecture documentation
procedures addressing enterprise architecture development
results of risk assessments of enterprise architecture
other relevant documents or records
Organizational personnel with information security and privacy program planning and plan implementation responsibilities
organizational personnel responsible for developing enterprise architecture
organizational personnel responsible for risk assessments of enterprise architecture
organizational personnel with information security and privacy responsibilities
Organizational processes for enterprise architecture development
mechanisms supporting the enterprise architecture and its development