NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-7 — Enterprise Architecture
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
Supplemental Guidance
The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For [PL-8](#pl-8) , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37](#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8) and supporting security standards and guidelines.
Practitioner Notes
Your enterprise architecture — the overall design of your IT environment — must include security as a core consideration, not a bolt-on. Security requirements should shape how you design and build your technology infrastructure.
Example 1: When planning a network redesign, include security segmentation in the architecture diagrams. Place CUI-processing systems in a dedicated VLAN, put a firewall between your corporate and guest networks, and document these decisions in your enterprise architecture documentation.
Example 2: In Azure, use Azure Landing Zones to structure your cloud architecture with security built in from the start. This includes network segmentation, identity management through Azure AD, and centralized logging — all documented as part of your enterprise architecture blueprint.