>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PL-7Concept of Operations

IL5
IL6

>Control Description

a

Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and

b

Review and update the CONOPS organization-defined frequency.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the system development life cycle. For example, during system design reviews, the concept of operations is checked to ensure that it remains consistent with the design for controls, the system architecture, and the operational procedures.

Changes to the CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy architectures, and other organizational documents, such as procurement specifications, system development life cycle documents, and systems engineering documents.

>Related Controls

PL-2
SA-2
SI-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the security and privacy concept of operations for organizational systems?
  • How does the organization develop and document the concept of operations to align with enterprise architecture?
  • Who reviews and approves the concept of operations, and what is the review frequency?
  • How is the concept of operations integrated into system development lifecycle processes?
  • What governance exists for ensuring the concept of operations remains current and relevant?

Technical Implementation:

  • What documentation systems or repositories store the security and privacy concept of operations?
  • How is the concept of operations integrated into system architecture documentation?
  • What tools support development and maintenance of the concept of operations?

Evidence & Documentation:

  • Provide the security and privacy concept of operations documentation.
  • Provide evidence of concept of operations review and approval.
  • Provide documentation showing CONOPS integration with system development.
  • Provide records of CONOPS updates when system or organizational changes occur.

Ask AI

Configure your API key to use AI features.