NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-32 — Purposing
Analyze {{ insert: param, pm-32_odp }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.
Supplemental Guidance
Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures.
Practitioner Notes
Purposing means ensuring that systems are used only for their intended and authorized purposes. Every system should have a clearly defined purpose, and usage outside that purpose should be detected and addressed.
Example 1: In each system security plan, clearly state the system's authorized purpose and the types of data it is approved to process. During annual reviews, verify that the system is still being used as documented and that no unauthorized data types have crept in.
Example 2: Use Microsoft Purview Data Loss Prevention (DLP) policies to detect when sensitive data types appear in systems not authorized to process them. For example, if a file share is approved for general business data only, a DLP rule can alert you when someone stores documents containing SSNs or CUI markings there.