Back

Establish, implement, and maintain a Capital Planning and Investment Control policy.


CONTROL ID
06279
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a financial management program., CC ID: 13228

This Control has the following implementation support Control(s):
  • Include risk management in the Capital Planning and Investment Control policy., CC ID: 16764
  • Include debt rating requirements in the Capital Planning and Investment Control policy., CC ID: 16692
  • Include divestiture requirements in the Capital Planning and Investment Control policy., CC ID: 16591


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The information security governance framework should address the need to make investment decisions about Information Security that reflect business objectives. (SG.01.01.04b, The Standard of Good Practice for Information Security)
  • The information security governance framework should address the need to make investment decisions about Information Security that reflect business objectives. (SG.01.01.04b, The Standard of Good Practice for Information Security, 2013)
  • the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; (§ 6.4.3.2 ¶ 1 i), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Prioritization of investments. (App A Objective 12:4b Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Balances resource investments. (App A Objective 2:6c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The plan addresses long-term (three- to five-year horizon) goals and allocation of resources. (App A Objective 4:2 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; (PM-3a., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must ensure capital planning and investment requests include the resources needed to implement the information security program, along with documenting any exceptions. (App G § PM-3.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. (PM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required. (PM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; (PM-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; (PM-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and (PM-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Each agency has an established and documented CPIC process in line with OMB Circular A-11. (§ 2.1.3, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; (PM-3a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)