Agency Security Plan

The Agency Security Plan template developed by DIR was created through collaboration between government and the private sector. It uses a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on agencies.

The template is divided into five concurrent and continuous functions, which are the same as the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover.

chart displaying the five areas of an agency security plan 

Within these five areas, DIR has established 40 distinct security objectives:

​Functional area

​Security objective

​Identify
  • ​Privacy and Confidentiality
  • Data Classification
  • Critical Information Asset Inventory
  • Enterprise Security Policy, Standards and Guidelines
  • Control Oversight and Safeguard Assurance
  • Information Security Risk Management
  • Security Oversight and Governance
  • Security Compliance and Regulatory Requirements Management
  • Cloud Usage and Security
  • Security Assessment and Authorization / Technology Risk Assessments
  • External Vendors and Third Party Providers
​Protect
  • Enterprise Architecture, Roadmap & Emerging Technology
  • Secure System Services, Acquisition and Development
  • Security Awareness and Training
  • Privacy Awareness and Training
  • Cryptography
  • Secure Configuration Management
  • Change Management
  • Contingency Planning
  • Media
  • Physical Environmental Protection
  • Personnel Security
  • Third-Party Personnel Security
  • System Configuration Hardening & Patch Management
  • Access Control
  • Account Management
  • Security Systems Management
  • Network Access and Perimeter Controls
  • Internet Content Filtering
  • Data Loss Prevention
  • Identification & Authentication
  • Spam Filtering
  • Portable & Remote Computing
  • System Communications Protection
​Detect
  • ​Malware Protection
  • Vulnerability Assessment
  • Security Monitoring and Event Analysis
​Respond
  • ​Cyber-Security Incident Response
  • Privacy Incident Response
​Recover
  • ​Disaster Recovery Procedures

Each agency and institution of higher education then uses their Agency Security Plan to demonstrate how they will achieve these objectives.

Agency Security Plan Template

The Agency Security Plan template gives agencies:

  • A method for reporting on the types of controls they have in place
  • An evaluation of their ability to operate the control environment at their required level
  • A standardized approach for preparing the agency’s ongoing security plan
  • The Agency Security Plan is now available in the SPECTRIM Portal.

DIR looks forward to providing insights and learning from an analysis of all Agency Security Plans.

Cybersecurity Framework Support

Here are some additional links that will help you deliver your information security program:

Information about file formats