OPS-02: Security Concept Of Operations (CONOPS)
Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.
Control Question: Does the organization develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders?
General (16)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC5.1 CC7.2 |
| BSI Standard 200-1 | 8.1 |
| COSO 2017 | Principle 2 Principle 10 |
| CSA CCM 4 | IVS-08 STA-06 |
| ENISA 2.0 | SO13 |
| ISO 22301 2019 | 8.1 |
| ISO 27017 2015 | CLD.12.1.5 |
| NIST Privacy Framework 1.0 | ID.BE-P1 ID.BE-P2 ID.BE-P3 PR.PO-P4 |
| NIST 800-53 R4 | PL-7 |
| NIST 800-53 R5 (source) | PL-7 |
| NIST 800-53 R5 (NOC) (source) | PL-7 |
| NIST 800-160 | 3.4.12 |
| NIST 800-161 R1 | PL-7 |
| NIST 800-161 R1 Level 3 | PL-7 |
| TISAX ISA 6 | 8.1.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | OPS-02 |
US (6)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | EF:SG2.SP1 GG2.GP1 |
| US DHS ZTCF | SEC-03 |
| US HIPAA HICP Medium Practice | 8.M.A |
| US HIPAA HICP Large Practice | 8.M.A 8.L.A |
| US NISPOM 2020 | 8-610 |
| US TSA / DHS 1580/82-2022-01 | III.B.2 III.B.2.a III.B.2.b |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.2.1(6) |
| EMEA EU DORA | 9.1 9.2 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Japan ISMAP | 4.5.4 12.1.5.P |
| APAC New Zealand NZISM 3.6 | 5.1.15.C.01 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 4.30 |
| Americas Canada OSFI B-13 | 1.3.2 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.
Level 2 — Planned & Tracked
Security operations (OPS) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Security operations management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security operations.
- Administrative processes focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined
Security Operations (OPS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Security Operations Center (SOC), or similar function, manages cybersecurity operations that covers preparation, detection and analysis, containment, eradication and recovery.
- Procedures are standardized across the enterprise to ensure uniformity and consistent execution. These Standardized Operating Procedures (SOP) identify and document day-to-day procedures to enable the proper execution of assigned tasks.
- Line of Business (LOB) stakeholders are identified and tasked with documenting business-critical functions in “run books,” or SOPs, to capture the knowledge in documentation form from both a business and technology perspective.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.
Assessment Objectives
- OPS-02_A02 a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of cybersecurity / data privacy is developed.
- OPS-02_A01 frequency for review / update of the Concept of Operations (CONOPS) is defined.
- OPS-02_A03 the Concept of Operations (CONOPS) is reviewed / updated per an organization-defined frequency.
Technology Recommendations
Medium
- Cybersecurity-focused Concept of Operations (CONOPS)
Large
- Cybersecurity-focused Concept of Operations (CONOPS)
Enterprise
- Cybersecurity-focused Concept of Operations (CONOPS)