PL-02 (03) Plan Coordinate With Other Organizational Entities
Introduction
This document describes how Private Mendix Platform fulfills the PL-02 (03) control.
| Control ID | PL-02 (03) |
|---|---|
| Control category | PL - Planning |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Customer - Org |
Control
The organization plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.
Supplemental Guidance
Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.
The following controls are related to this control:
- CP-4
- IR-4
For more information, refer to the NIST Special Publication 800-18.*
Responsibility
Customer Responsibility
The customer is responsible for implementing this control in an appropriate manner in their organization. This includes planning and coordinating all security-related activities affecting the Mendix solution with appropriate internal teams and external parties before conducting such activities to ensure compliance with federal requirements. The customer must ensure that security assessments, audits, maintenance, patch management, and testing activities are properly coordinated to minimize impact on organizational operations and Mendix systems.
Guidance
Customer Responsibility
This control is governed by NIST SP 800-53 Rev 5 (PL Family) and FIPS 200, which require organizations to plan and coordinate security-related activities in advance to reduce impact on organizational entities. Customers operating within a FedRAMP or DoD SRG environment must ensure that all security-related activities affecting the Mendix solution are coordinated with relevant stakeholders, including internal teams and Mendix where applicable.
The following steps define the customer's obligations for this control:
-
Establish a Security Activity Planning and Coordination process.
Define and document a formal process for planning and coordinating security-related activities affecting the Mendix solution, including security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing as specified in NIST SP 800-53 Rev 5. This process must cover both emergency and nonemergency situations, ensuring that all organization-defined individuals or groups are notified and consulted before activities are conducted.
-
Coordinate with internal Implementation and Operations teams.
Ensure that the Customer, Infra Implementer, App Implementer, Infra Operator, and App Operator collaborate in planning and coordinating security activities that could impact the Mendix solution. Establish communication channels and coordination procedures to reduce operational impact and ensure all parties are aware of scheduled and emergency security-related activities affecting infrastructure or applications.
-
Coordinate with Mendix for activities impacting Mendix products and systems.
Plan and coordinate with Mendix any security activities that would directly impact Mendix products and solutions or customers on publicly available Mendix systems, such as phishing tests, penetration tests, vulnerability scanning, or other security assessments. Provide advance notice to Mendix in accordance with terms of service or support agreements to ensure proper coordination and minimize disruption to services.