NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-2Information Security Program Leadership Role

Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.

Practitioner Notes

Someone senior in your organization must be formally designated as the information security program lead. In federal agencies this is the CISO or Senior Agency Information Security Officer (SAISO). For small businesses, it might be the owner or a designated IT manager — but it must be documented.

Example 1: Write an appointment memo signed by the CEO that names a specific person as the security program lead, outlines their authority to make security decisions, and confirms they have budget and staff support. Keep this memo in your governance folder.

Example 2: In your organizational chart, add the security program lead role with a direct reporting line to senior leadership. In M365 Admin Center, assign this person the Security Administrator and Compliance Administrator roles so they have visibility into the security posture of your tenant.

More Program Management Controls

PM-1 Information Security Program Plan PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process PM-5 System Inventory