- A CONOPS (Concept of Operations) provides unified guidance and a north star for cybersecurity decision-making across all stakeholders.
- Think of it as a mini business plan that can scale from the entire cybersecurity department down to a specific project or system.
- Hierarchically, a CONOPS sits between a CISO-level business plan and a System Security Plan (SSP).
- It addresses the who, what, why, where, when and how needed to accomplish the stated mission.
- A CONOPS directly influences People, Processes, Technologies, Data and Facilities (PPTDF).
- It is designed to be user-oriented and non-overly-technical. Establishing a shared understanding for everyone involved.
What Is A Cybersecurity CONOPS?
From a hierarchical perspective, a CONOPS is subordinate to a CISO-level business plan, but is one level higher than a System Security Plan (SSP). Based on the CONOPS's function to operationalize a busines plan, the CONOPS can provide a significant amount of information necessary to fill out a system/project-specific SSP.
The actionable guidance provided by the CONOPS directly influences People, Processes, Techonologies, Data and Facilities (PPTDF). This guidance is designed to span both business planning and cybersecurity operations to ensure stakeholders are working to achieve the same objectives, where the organization can be compliant, secure and resilient.
Where The CONOPS Fits
A CONOPS provides user-oriented guidance that describes crucial context from an integrated systems point of view (e.g., mission, operational objectives and overall expectations), without being overly technical or formal. A CONOPS is meant to:
- Benefit stakeholders by establishing a baseline “operational concept” to establish a conceptual, clearly-understood view for everyone involved in the scope of operations described by the CONOPS.
- Record design constraints, the rationale for those constraints and to indicate the range of acceptable solution strategies to accomplish the mission and any stated objectives.
- Contain a conceptual view that illustrates the top-level functionality in the proposed process or system.
A CONOPS is not a set of policies, standards or procedures, but it does compliment and support those documents. A CONOPS straddles the territory between an organization's centrally-managed policies/standards and its decentralized, stakeholder-executed procedures, where a CONOPS serves as expert-level guidance that is meant to run a specific capability or function within an organization's cybersecurity department. An organization's Subject Matter Experts (SMEs) are expected to use a CONOPS as a tool to help communicate user needs and system characteristics to developers, integrators, sponsors, funding decision makers and other stakeholders.
ComplianceForge Products
Several ComplianceForge documents are essentially CONOPS documents, where those CONOPS-like documents are (1) more conceptual than procedures and (2) are focused on providing program-level guidance to define and mature a specific capability that is called for by policies and standards (e.g., operate a "risk management program"). Examples of ComplianceForge products that provide program-level guidance to define a function-specific concept of operations include:
- Risk management (e.g., Risk Management Program (RMP));
- Vulnerability management (e.g., Vulnerability & Patch Management Program (VPMP));
- Incident response (e.g., Integrated Incident Response Program (IIRP));
- Business Continuity / Disaster Recovery (e.g., Continuity of Operations Plan (COOP));
- Secure engineering practices (e.g., Secure Engineering & Data Privacy (SEDP));
- Pre-production testing (e.g., Information Assurance Program (IAP));
- Supply Chain Risk Management (SCRM) (e.g., Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRP SIP)); and
- Configuration management (e.g., Secure Baseline Configurations (SBC)).