The organization: PL-2a.
Develops a security plan for the information system that: PL-2a.1.
Is consistent with the organization�s enterprise architecture; PL-2a.2.
Explicitly defines the authorization boundary for the system; PL-2a.3.
Describes the operational context of the information system in terms of missions and business processes; PL-2a.4.
Provides the security categorization of the information system including supporting rationale; PL-2a.5.
Describes the operational environment for the information system and relationships with or connections to other information systems; PL-2a.6.
Provides an overview of the security requirements for the system; PL-2a.7.
Identifies any relevant overlays, if applicable; PL-2a.8.
Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and PL-2a.9.
Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; PL-2b.
Distributes copies of the security plan and communicates subsequent changes to the plan to Assignment: organization-defined personnel or roles; PL-2c.
Reviews the security plan for the information system Assignment: organization-defined frequency; PL-2d.
Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and PL-2e.
Protects the security plan from unauthorized disclosure and modification.