The organization: PM-1a.
Develops and disseminates an organization-wide information security program plan that: PM-1a.1.
Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; PM-1a.2.
Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.3.
Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and PM-1a.4.
Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-1b.
Reviews the organization-wide information security program plan Assignment: organization-defined frequency; PM-1c.
Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and PM-1d.
Protects the information security program plan from unauthorized disclosure and modification.