UPDATE CONTROL IMPLEMENTATION INFORMATION
Document changes to planned control implementations based on the “as-implemented” state of controls.
Potential Inputs: Security and privacy plans; information from control implementation efforts.
Expected Outputs: Security and privacy plans updated with implementation detail sufficient for use by assessors; system configuration baseline.
Primary Responsibility: System Owner; Common Control Provider.
Supporting Roles: Information Owner or Steward; Security Architect; Privacy Architect; Systems Security Engineer; Privacy Engineer; System Security Officer; System Privacy Officer; Enterprise Architect; System Administrator.
System Development Life Cycle Phase: New – Development/Acquisition; Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: Despite the control implementation details in the security and privacy plans and the system design documents, it is not always feasible to implement controls as planned. Therefore, as control implementations are carried out, the security and privacy plans are updated with as-implemented control implementation details. The updates include revised descriptions of implemented controls including changes to planned inputs, expected behavior, and expected outputs with sufficient detail to support control assessments. Documenting the “as implemented” control information is essential to providing the capability to determine when there are changes to the controls, whether those changes are authorized, and the impact of the changes on the security and privacy posture of the system and the organization.
References: [SP 800-53]; [SP 800-128]; [SP 800-160 v1] (Implementation, Integration, Verification, and Transition, Configuration Management Processes).