myctrl.tools
Compare

PM-7Enterprise Architecture

PRIVACY

>Control Description

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

>Control Enhancements(1)

PM-7(1)

>Cross-Framework Mappings

SCF

SEA-02
Compare

>Supplemental Guidance

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization's mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization's security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems.

For PL-8, the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework SP 800-37 and supporting security standards and guidelines.

>Related Controls

AU-6
PL-2
PL-8
PM-11
RA-2
SA-3
SA-8
SA-17

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining the enterprise architecture with integrated security and privacy considerations?
  • How does the organization ensure the enterprise architecture supports organizational mission and risk management?
  • Who reviews and approves the enterprise architecture?
  • How frequently is the enterprise architecture reviewed and updated?
  • What governance exists for ensuring new systems and services align with the enterprise architecture?

Technical Implementation:

  • What tools or repositories document the enterprise architecture?
  • How are security and privacy requirements integrated into architecture models?
  • What technical frameworks or standards guide enterprise architecture development?
  • How is architecture compliance validated for new systems and services?
  • What automation supports enterprise architecture governance?

Evidence & Documentation:

  • Provide the enterprise architecture documentation with integrated security and privacy.
  • Provide evidence of architecture review and approval.
  • Provide records showing new systems alignment with enterprise architecture.
  • Provide documentation of architecture updates to address emerging technologies.

Ask AI

Configure your API key to use AI features.