NIST 800-53 REV 5 • PLANNING
PL-7 — Concept of Operations
Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and Review and update the CONOPS {{ insert: param, pl-07_odp }}.
Supplemental Guidance
The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the system development life cycle. For example, during system design reviews, the concept of operations is checked to ensure that it remains consistent with the design for controls, the system architecture, and the operational procedures. Changes to the CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy architectures, and other organizational documents, such as procurement specifications, system development life cycle documents, and systems engineering documents.
Practitioner Notes
A Concept of Operations (CONOPS) document describes how you intend to operate the system from a security perspective. It tells the story of how security works in practice, not just on paper.
Example 1: Write a CONOPS that describes your operating environment, user communities, data flows, interconnections with other systems, security roles and responsibilities, and how you operate the system day-to-day from a security standpoint. Review and update it when operational changes occur.
Example 2: Include scenarios in your CONOPS: how the system operates normally, how it handles peak load, what happens during maintenance windows, and how it operates during degraded mode or emergency. For each scenario, describe which security controls remain active and which may be temporarily modified.