Security Control Spotlight—The PM Family

By Lon J. Berman, CISSP

The Beatles were comprised of how many musicians? Easy, right? They were called the “Fab Four”, so there were definitely 4. Now Google “the fifth Beatle” and see what you get. Ditto for “sixth sense”. When I eat at a Thai restaurant and the waitress asks how hot I want my food—on a scale of 1 to 5—I usually answer “6”.

If you’ve looked through NIST SP 800-53 Rev 4, you probably saw that there are 17 families of controls from which the various baselines are to be built. Yet, if you ask a group of “subject matter experts” how many control families there are, some people will answer 18.

Like most apparent paradoxes, there’s a somewhat logical explanation for this seemingly bizarre discrepancy.

When NIST first put together SP 800-53, there really were 18 families of security controls. The 18th family was “PM”, or “Program Management”. It was filled with controls dealing with various aspects or establishing and operating an organization’s information security program. Some of the controls in the PM family include:

  • PM-1 Information Security Program Plan
  • PM-2 Senior Information Security Officer
  • PM-3 Information Security Resources
  • PM-4 Plan of Action and Milestones Process
  • PM-5 Information System Inventory
  • PM-7 Enterprise Architecture
  • PM-8 Critical Infrastructure Plan
  • PM-9 Risk Management Strategy
  • PM-13 Information Security Workforce

These controls are clearly aimed at the organizational level, and not at individual information systems. In fact, NIST included a “disclaimer” to that effect:

Deployed organization Wide.
Supporting information security program.
Not associated with security control baselines.
Independent of any system impact level.

Despite everything, the PM family of controls remained in the main body of SP 800-53 through several revisions. Finally, it dawned on the authors that these controls just didn’t belong with the other 17 families; they were moved to a separate Appendix (Appendix G, to be exact) and removed from the recommended baselines of controls.

Some suggested the PM family of controls had been “demoted” or “Plutoed”. The fact is they were simply moved to where they made more sense.

End of story? Not quite.

In the DoD world, some versions of eMASS were found to be putting the PM controls right back into the baselines for all system categorization levels.

So, that’s the story of the PM family of controls … at least so far! If anyone ever asks you how many control families there are, give them your best answer (17), but just remember—”Men are from Mars, women are from Venus, and security controls—at least the Program Management ones—are from Pluto.”


IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.