NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-8Critical Infrastructure Plan

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

Practitioner Notes

If your organization operates or supports critical infrastructure, you need a plan that addresses how you protect those assets. This ties your security program to sector-specific requirements from DHS, CISA, or your industry regulator.

Example 1: If you are a defense contractor, document how your systems support the Defense Industrial Base (DIB) sector. Map your critical assets to the services they enable and identify single points of failure. Include this analysis in your security program plan.

Example 2: Register with CISA's Cybersecurity Assessments program and complete their Cyber Resilience Review (CRR) self-assessment. The results will identify gaps in your critical infrastructure protection plan and give you a structured roadmap for improvement.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process