Program Management Plan

Approach basics → §4.x

Organizational program identifiers and locations.

Organization name * Name of the organization that operates the org-level PM program (e.g., 'Department of Acme', 'Federal Bureau X', 'Acme Corp').

Information Security Program Plan (PM-1) location * Where the organizational ISPP is maintained (e.g., 'eMASS Org-Level Package OL-001', '/repo/org-compliance/ispp.md').

ISPP / PM-2 program lead role * Senior info-security officer accountable for the ISPP (typically CISO or equivalent).

Privacy Program Plan (PM-18) location Where the org Privacy Program Plan is maintained.

Privacy program lead role (PM-19) SAOP / Chief Privacy Officer.

Risk Management Strategy (PM-9) location * Where the org RMS is maintained.

Continuous Monitoring Strategy (PM-31) location * Where the org CA-7 / PM-31 ConMon strategy is maintained.

System inventory (PM-5) location * Where the org system inventory is maintained (e.g., 'CMDB', 'FISMA-Cybersecurity Performance Goals (CPG) reporting tool', 'eMASS').

This system's identifier in the inventory * How this system is identified in the org PM-5 inventory.

POA&M system (PM-4) * Org POA&M tracking system (e.g., 'eMASS POA&M module', 'Archer POA&M', 'Internal GRC tool').

POA&M ID prefix for this system * Convention for this system's POA&M items (e.g., 'POAM-CTLS-').

ISPP / Inventory / Purpose (PM-1, PM-5, PM-32) → §4.x

Where this system fits in the organization's program plan and inventory.

How this system is listed in the ISPP Reference to the section / appendix / inventory entry that identifies this system in the org ISPP.

ISSO role per ISPP ISSO / system-owner roles assigned to this system per the ISPP definitions.

Inventory attributes captured

System identifier (FISMA / agency) FIPS 199 categorization ATO date + expiration AO name / role System owner / ISSO / ISSM Boundary description Information types processed Hosting / deployment model Interconnections registered Operational status (production / dev / decommissioned) Records-retention applicability

Purpose alignment (PM-32) Per PM-32 — how this system's purpose aligns with the org mission. Reference to mission / business-process documentation.

Inventory-update cadence How often the inventory entry for this system is verified for currency.

Resources and Workforce (PM-3, PM-13) → §4.x

Org budget and workforce program as they apply to this system.

Resource-request process How this system requests resources from the org budget process. Reference org capital-planning workflow.

Unfunded-requirements escalation How unfunded requirements for this system are escalated through the org PM-3 process. Reference SA-2 system-level allocation.

Workforce-role mapping How roles supporting this system map to the org PM-13 workforce framework (NICE Framework / DoD 8140). Reference AT-3.

POA&M Management (PM-4) → §4.x

How this system contributes to the org POA&M process.

POA&M routing for this system How this system's POA&M items flow into the org PM-4 process (org-level dashboard, monthly roll-up, AO review cycle).

Review cadence at system level How often this system's POA&M is reviewed (e.g., 'Weekly system-internal review; monthly org submission'). Common.

Closure-evidence requirement Evidence required to close a POA&M item. Test results, configuration verification, control-effectiveness attestation.

Overdue-item escalation threshold When overdue POA&M items escalate (e.g., '>30 days past due → ISSM brief; >60 days → AO awareness').

Enterprise Architecture and Business Processes (PM-7, PM-11) → §4.x

How this system fits the org architecture and supports mission processes.

EA framework in use — Select — Federal Enterprise Architecture Framework (FEAF) Department of Defense Architecture Framework (DoDAF) TOGAF Agency-specific framework No formal EA framework

EA-documentation reference Where this system is documented in the org EA (segment, capability, transition plan).

Supported missions / business processes (PM-11)

Add item

Suggested: + Personnel administration + Benefits delivery + Tax administration + Law enforcement + Public-health surveillance + Financial reporting + Policy analysis

MEF reference (where applicable) If this system supports a Mission Essential Function: reference to the MEF. Reference RA-9 / CP-2.

Risk Management Strategy (PM-9, PM-28) → §4.x

Org RMS and this system's tier within it.

Org-tier-of-this-system — Select — Tier 1 (Organization) Tier 2 (Mission / Business Process) Tier 3 (System) — most common Per NIST SP 800-39 / 800-37 r2

RMS review cadence How often this system's risk posture surfaces to the org RMS (typical: quarterly + on significant change).

Risk framing (PM-28) Per PM-28 — how this system contributes to / inherits from the org risk-framing inputs (assumptions, constraints, risk tolerance, priorities).

Risk-tolerance statement reference Pointer to the org risk-tolerance statement that anchors RA-7 decisions for this system.

Testing, Training, Monitoring (PM-14, PM-31) → §4.x

Org-wide assessment and ConMon strategy as applied here.

Org PM-14 testing program reference How org-wide testing (annual control assessments, periodic incident-response exercises, training programs) covers this system.

ConMon strategy tier for this system If org ConMon strategy uses tiered cadences: which tier this system is assigned to (e.g., 'Tier 2 — moderate-impact, monthly attestation cycle').

Metrics this system supplies to org ConMon

Add item

Suggested: + Vulnerability scan results (RA-5) + Patch SLA compliance (SI-2) + Boundary alarm volume (SC-7) + Authentication failures (IA-2) + Privileged-access changes (AC-2) + ATO POA&M rollup + Continuous-monitoring assessment results

Reporting cadence to org ConMon How often this system reports metrics to the org PM-31 program (typical: monthly automated + quarterly review).

Protecting CUI on External Systems (PM-17) → §4.x

Per PM-17, controls when CUI extends beyond the system boundary.

CUI on external systems in scope? — Select — Yes — CUI is processed by external system services Yes — CUI is shared with partner organizations Yes — both (cloud + partner) No — CUI does not extend beyond authorization boundary Not applicable (no CUI)

External-system protections required Per PM-17 — what protections are required of external systems / organizations handling CUI (NIST SP 800-171 r3 compliance, contract clauses, attestations). Reference SA-9 / SR-8.

External-attestation handling How attestations of external compliance are received and validated.

Insider Threat Program (PM-12) → §4.x

How this system participates in the org insider-threat program.

System enrollment scope — Select — Fully enrolled (full data sharing with org IT program) Partially enrolled (selected indicators only) Aware-and-coordinated (no automated data sharing) Not enrolled (with rationale)

Data shared with org IT program

Audit logs (overlaps AU) Access-anomaly alerts DLP findings Behavioral analytics Termination-event triggers (overlaps PS-4) Personnel-screening status (overlaps PS-3) External-event correlation

Indicator-response coordination How org IT-program indicators relevant to this system are routed to system staff. Reference IR / PS-8.

Threat Awareness and External Engagement (PM-15, PM-16) → §4.x

How this system benefits from org threat intelligence and external engagements.

Groups / associations participated

Federal CIO Council Federal CISO Council Joint Task Force / interagency working groups Sector ISAC / ISAO DHS / CISA programs FBI InfraGard (ISC)² / SANS communities Vendor-specific user groups

Threat-awareness program reference (PM-16) Pointer to the org PM-16 threat-awareness program / TIP.

Intel-routing to this system How org threat-intel feeds (TIP, advisories, sector-ISAC reports) reach this system's defenders. Reference SI-5 / RA-10.

Privacy Program (PM-18 through PM-27) → §4.x

Org privacy program as it applies to this system.

Privacy plan review cadence How often the org privacy plan is reviewed (typical: 'Annually + on significant change'). Reference PT plan.

Privacy Act § (c) disclosure accounting (PM-21) How this system contributes to the org disclosure-accounting record. Where the records live. Reference PT-6.

PII quality program (PM-22) How this system contributes to / inherits from the org PII quality-management program. Data-correction workflows, accuracy verification.

Complaint-management program (PM-26) How privacy complaints affecting this system are handled. Routing to SAOP, response SLA.

Privacy reporting (PM-27) How this system contributes to org privacy-reporting requirements (FISMA Annual Report, OMB privacy reporting).

Data Governance (PM-23, PM-24) → §4.x

Data Governance Body and Data Integrity Board.

Data Governance Body in place? — Select — Yes — formal DGB chartered (PM-23) Yes — informal data-governance forum No — DGB role distributed among existing committees Pending establishment Not applicable

DGB charter reference If DGB exists: pointer to charter / membership.

Data Integrity Board required? — Select — Yes — DIB required for Privacy Act systems No — Privacy Act not applicable Pending review

DIB composition (Privacy Act § (u)) Members of the DIB if required. Reference PT-8 for matching agreements.

Supply Chain Risk Management Strategy (PM-30) → §4.x

Org-level SCRM strategy and this system's place in it.

Org SCRM strategy location Where the org SCRM strategy lives. Reference SR plan.

System scope in SCRM strategy How this system is scoped in the org SCRM strategy (critical / standard tier; specific covered components).

Org SCRM team role Role of the org SCRM team / how this system interacts with it. Reference SR-2(1).

PM Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Organization size (approximate) Order-of-magnitude personnel count for the organization. Anchors org-level program scope.

Systems in org inventory (approximate) Approximate count of systems in the org PM-5 inventory.

Active POA&M items for this system Approximate count of open POA&M items for this system.

Metrics this system provides to org Approximate count of distinct metrics this system reports to the org PM-31 ConMon program.

Program-Management Metrics & KPIs → §6.x

Metrics tracked to demonstrate PM control effectiveness.

Tracked metrics

Add item

Suggested: + System-inventory currency (last verification date) + POA&M active-item count + closure rate + Mean time from POA&M opening to closure + ConMon strategy adherence rate (metrics submitted on schedule) + ISPP review-cycle currency (last system-section review) + Mission-process alignment review currency + Org-program-participation completion rate (insider-threat enrollment, threat-awareness program) + Open POA&M items linked to PM controls + Significant-change notifications submitted on time

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the PM control implementations are summarized (e.g., 'SSP §13.18 — meta program').

All-families inheritance summary Summary of how each family plan inherits from PM (CA from PM-31, RA from PM-9, SR from PM-30, etc.). High-level pointer table.

CA handoff (PM-31) How this system's PM-31 ConMon strategy reference appears in CA-7. Reference CA plan.

RA handoff (PM-9, PM-28) How this system's PM-9 / PM-28 RMS reference appears in RA-3 / RA-7. Reference RA plan.

SR handoff (PM-30) How this system's PM-30 SCRM strategy reference appears in SR-2. Reference SR plan.

PT handoff (PM-18 / PM-19) How this system's PM-18 / PM-19 privacy program reference appears in PT-2 / PT-5 / PT-6. Reference PT plan.

IR handoff (PM-12) How insider-threat indicators flow between this system's IR plan and the org PM-12 program.