The organization: PL-8a.
Develops an information security architecture for the information system that: PL-8a.1.
Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; PL-8a.2.
Describes how the information security architecture is integrated into and supports the enterprise architecture; and PL-8a.3.
Describes any information security assumptions about, and dependencies on, external services; PL-8b.
Reviews and updates the information security architecture Assignment: organization-defined frequency to reflect updates in the enterprise architecture; and PL-8c.
Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.