NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-3 — Information Security and Privacy Resources
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and Make available for expenditure, the planned information security and privacy resources.
Supplemental Guidance
Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.
Practitioner Notes
You need to plan and budget for security and privacy — it cannot be an afterthought. This means including cybersecurity line items in your capital planning and making sure security staff, tools, and training are funded each fiscal year.
Example 1: During annual budgeting, create a dedicated cybersecurity budget line that covers tool licenses (antivirus, SIEM, vulnerability scanner), training (Security+ certifications, annual awareness training), and any planned hardware upgrades like firewalls or encrypted drives.
Example 2: Use a spreadsheet or project management tool to track security investments against your Plan of Action and Milestones (POA&M). If your POA&M says you need to implement MFA by Q3, the budget should show the M365 E5 license cost that enables Azure AD Conditional Access with MFA enforcement.