PM-32—Purposing
>Control Description
>Cross-Framework Mappings
>Supplemental Guidance
Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure.
In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What program-level governance exists for purposing?
- •Who has overall responsibility and accountability for purposing across the organization?
- •How does the organization measure and report on purposing effectiveness?
- •What resources are allocated to support purposing activities?
- •How does purposing integrate with other organizational programs and initiatives?
Technical Implementation:
- •What enterprise systems or platforms support purposing?
- •How are purposing activities tracked and reported organization-wide?
- •What integration exists between purposing tools and other security/privacy systems?
- •What automation supports purposing at the program level?
- •What metrics or analytics are used to measure purposing effectiveness?
Evidence & Documentation:
- •Provide program-level documentation for purposing.
- •Provide evidence of purposing review and approval by senior leadership.
- •Provide metrics or reports demonstrating purposing effectiveness.
- •Provide records of purposing updates and improvements.
- •Provide documentation of purposing integration with organizational governance.
Ask AI
Configure your API key to use AI features.