Establish, implement, and maintain a Capital Planning and Investment Control policy.
CONTROL ID 06279
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a financial management program., CC ID: 13228
This Control has the following implementation support Control(s):
Include risk management in the Capital Planning and Investment Control policy., CC ID: 16764
Include debt rating requirements in the Capital Planning and Investment Control policy., CC ID: 16692
Include divestiture requirements in the Capital Planning and Investment Control policy., CC ID: 16591
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The information security governance framework should address the need to make investment decisions about Information Security that reflect business objectives. (SG.01.01.04b, The Standard of Good Practice for Information Security)
The information security governance framework should address the need to make investment decisions about Information Security that reflect business objectives. (SG.01.01.04b, The Standard of Good Practice for Information Security, 2013)
the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; (§ 6.4.3.2 ¶ 1 i), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Prioritization of investments. (App A Objective 12:4b Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Balances resource investments. (App A Objective 2:6c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
The plan addresses long-term (three- to five-year horizon) goals and allocation of resources. (App A Objective 4:2 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; (PM-3a., Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization must ensure capital planning and investment requests include the resources needed to implement the information security program, along with documenting any exceptions. (App G § PM-3.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. (PM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required. (PM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; (PM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Each agency has an established and documented CPIC process in line with OMB Circular A-11. (§ 2.1.3, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; (PM-3a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)