PL-7: Concept of Operations

10 min readLast verified: February 2026By

PL-7 requires you to produce a system-specific Concept of Operations (CONOPS) that explains how the system will run day-to-day with security and privacy built into operations, not just design. To operationalize it quickly, assign an owner, define the security/privacy operational model (roles, workflows, dependencies, boundaries), and keep the CONOPS current as the system and risks change. 1

Key takeaways:

  • Your CONOPS must describe real operational behavior, not control “intent” language copied from policies. 1
  • Treat the CONOPS as an integration document that ties architecture, processes, and people to security and privacy outcomes. 1
  • Auditors will look for system specificity, ownership, update discipline, and traceability to implemented procedures and evidence. 1

The pl-7: concept of operations requirement is a planning control that forces clarity about how a system will actually be operated, from a security and privacy perspective. A CONOPS is the missing link between “we have policies” and “this is how the on-call engineer, SOC analyst, IAM admin, and privacy team run the system every day.” For federal systems and contractor systems handling federal data, this document becomes a core artifact for assessment readiness because it makes your operating assumptions testable.

Operators often fail PL-7 in two ways: they either write a generic narrative that could apply to any system, or they bury operational details across runbooks, diagrams, and ticketing workflows without a unifying document. A good CONOPS doesn’t replace those artifacts. It points to them, summarizes the operational model, and defines the security and privacy “rules of the road” for how the system is run, monitored, changed, and supported.

If you need to move fast, focus on: (1) system boundary and dependencies, (2) operational roles and responsibilities, (3) security and privacy workflows that run continuously (access, monitoring, vulnerability, incident, change), and (4) the evidence trail you can show an assessor.

Regulatory text

Requirement (excerpt): “Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and” 1

What the operator must do:
Create and maintain a system-specific CONOPS that explains, in operational terms, how security and privacy are handled as the system runs. The document must reflect reality: who does what, using which processes and tools, across normal operations and key operational events (access changes, deployments, incidents, outages, data requests). 1

Plain-English interpretation (what PL-7 is asking for)

PL-7 asks for a narrative and structured description of the system’s operating model, written from security and privacy viewpoints. That means your CONOPS should answer questions like:

  • How is the system used and administered, and what are the trust boundaries?
  • How do changes move from request to approval to deployment?
  • How is access granted, reviewed, revoked, and logged?
  • How do you monitor security and privacy signals, and who responds?
  • Where does sensitive data exist, how does it flow, and what privacy constraints apply?
  • Which third parties, platforms, and shared services are required to operate the system?

A CONOPS is not the same as an SSP, policy set, or architecture diagram. It should reference those artifacts, but it needs its own “how we operate” content that an assessor can read and then verify through interviews, tickets, logs, and runbooks. 1

Who it applies to (entity + operational context)

PL-7 commonly applies where NIST SP 800-53 is the required control baseline, including:

  • Federal information systems operated by agencies or on their behalf. 2
  • Contractor systems handling federal data, including hosted applications, SaaS, and managed services in a federal boundary. 2

Operationally, PL-7 is most scrutinized for:

  • Systems with multiple operating parties (DevOps + SOC + MSP + cloud provider).
  • Systems with regulated data types (privacy-relevant data flows, identity data, case files).
  • Systems with high change velocity (frequent deployments) or complex integrations. 1

What you actually need to do (step-by-step)

Use this sequence to produce an assessor-ready CONOPS without boiling the ocean.

1) Assign ownership and scope the “system”

  • Name a CONOPS owner (often the system owner or service owner) and define contributors: security engineering, SOC/IR, privacy, IAM, platform engineering, and a key business operator. 1
  • Lock the system boundary: what’s in-scope, what’s out-of-scope, and what dependencies are required for operation (identity provider, logging stack, CI/CD, ticketing). 1

Deliverable: a one-page scope statement at the front of the CONOPS.

2) Describe operational modes and users (not features)

Write short subsections for:

  • Normal operations (steady-state usage and administration)
  • Maintenance operations (patching, upgrades, key rotation, backups/restore tests)
  • Degraded operations (partial outages, failover, read-only modes)
  • Emergency operations (incident response, containment, break-glass access) 1

Keep it concrete: name the teams, tools, queues, and approval gates.

3) Map security and privacy responsibilities to roles

Create a RACI-style table (Responsible/Accountable/Consulted/Informed) for:

  • Access provisioning and deprovisioning
  • Privileged access management and break-glass
  • Logging and monitoring ownership
  • Vulnerability intake and remediation
  • Incident response and communications
  • Privacy: data inventory ownership, data subject request handling (if applicable), retention/deletion execution, DPIA/PIA triggers 1

Assessors test role clarity by interviewing the people in the table. If your RACI lists “Security Team” without names or functions, expect follow-up questions.

4) Document the security/privacy operational workflows end-to-end

For each workflow, write:

  • Trigger (what starts it)
  • Inputs (tickets, alerts, requests)
  • Decision points (approvals, risk acceptance)
  • Actions (what operators do)
  • Outputs (logs, tickets, reports)
  • Evidence produced (what you can show later)

Minimum workflows to cover for most systems:

  • Identity and access operations (joiner/mover/leaver, service accounts, MFA enforcement, privileged sessions)
  • Change management and deployment operations (how security testing gates releases; how secrets/config changes are handled)
  • Monitoring and alert response (who triages, how severity is assigned, escalation path)
  • Incident response (containment, forensics, notifications, post-incident review)
  • Data handling and privacy operations (collection points, sharing, retention, deletion, access requests where relevant) 1

Tip: link each workflow to existing runbooks and ticket types rather than rewriting them.

5) Describe dependencies, third parties, and shared services

PL-7 is where many teams forget to explain operational reliance on:

  • Cloud service provider services (logging, KMS, IAM)
  • Managed detection/response providers
  • SaaS tools in the admin plane (CI/CD, secrets manager, ticketing)
  • Upstream data providers and downstream consumers (data flows and obligations) 1

Write what happens if a dependency fails, and who owns coordination with that third party.

6) Make it assessable: crosswalk to procedures and recurring evidence

Operationalize the CONOPS by mapping each section to:

  • A procedure/runbook location
  • Control owners
  • Recurring evidence artifacts (tickets, reports, logs, meeting notes)
  • Review/update cadence aligned to change events (major releases, boundary changes, new data types) 1

This is where Daydream fits naturally: teams use Daydream to assign control ownership, document the PL-7 implementation procedure, and track recurring evidence artifacts so the CONOPS stays tied to what operators can prove during an assessment. 1

Required evidence and artifacts to retain

Keep artifacts that prove the CONOPS is real and followed:

  • CONOPS document with version history, approvers, and last review date. 1
  • System boundary description and dependency list referenced by the CONOPS. 1
  • Role/responsibility matrix (RACI) and on-call/escalation definitions. 1
  • Workflow evidence, sampled periodically:
    • Access request/approval tickets
    • Change tickets with approvals and security gates
    • Incident tickets, timelines, post-incident reviews
    • Vulnerability remediation tickets with SLA targets defined internally (avoid claiming external benchmarks) 1
  • References to runbooks (links or repository paths) and proof they are maintained (commit history, doc system audit trail). 1
  • Training/enablement evidence showing operators know the processes (attendance logs, internal attestations). 1

Common exam/audit questions and hangups

Expect these lines of questioning:

  1. “Show me how the CONOPS reflects how the system is actually operated.”
    They will pick a workflow (access, incident, change) and ask for tickets/logs that match your description. 1

  2. “Who owns each operational area?”
    If ownership is ambiguous (shared mailbox, generic team), auditors push for accountable roles. 1

  3. “What changed since the last update?”
    If you can’t tie CONOPS updates to system changes, you risk being labeled “paper compliance.” 1

  4. “How do privacy requirements show up in operations?”
    They will look for operational handling of data retention, access, sharing, and deletion where relevant to the system. 1

Frequent implementation mistakes and how to avoid them

Mistake Why it fails Fix
Copying a generic CONOPS template with minimal system detail Assessors can’t test it Include system-specific tools, queues, roles, and dependencies. 1
Describing security controls but not operational workflows No proof of day-to-day operation Write trigger-to-evidence workflows and link to runbooks and tickets. 1
Ignoring privacy operations Requirement calls for privacy perspective Add data flow summary, retention/deletion execution, and request handling where applicable. 1
No update discipline CONOPS drifts from reality Tie updates to change management and boundary changes; record approvals. 1
Missing third-party operational dependencies Operational risk is understated Document which third parties are required, how they’re monitored, and escalation paths. 1

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for PL-7, so this page does not cite enforcement examples. 1

Practically, the risk is assessment failure or a finding tied to weak planning and governance: if you can’t explain and evidence how security and privacy operations work, assessors may question whether controls operate consistently across teams and shifts. That risk increases in environments with heavy outsourcing or complex third-party dependencies. 1

A practical 30/60/90-day execution plan

You asked for speed; use phases rather than day-count promises.

First 30 days (Immediate build)

  • Assign owner and contributors; define system boundary and dependencies. 1
  • Draft CONOPS skeleton: operational modes, roles/RACI, top workflows. 1
  • Pick evidence sources for each workflow (ticket types, log sources, runbooks). 1

Days 31–60 (Operational hardening)

  • Run tabletop walkthroughs with operators: “show me” exercises for access, change, incident, privacy operations. 1
  • Fix gaps found in walkthroughs (missing approvals, unclear escalation, undocumented dependencies). 1
  • Implement an evidence map in Daydream or your GRC system: owner, procedure, recurring artifacts, review triggers. 1

Days 61–90 (Assessment readiness)

  • Perform an internal control interview using common audit questions; collect a sample evidence set that matches CONOPS statements. 1
  • Add versioning and update triggers tied to change management and boundary changes. 1
  • Train operators on the “operational contract” the CONOPS defines, and keep proof. 1

Frequently Asked Questions

What makes a CONOPS “system-specific” enough for PL-7?

It names real roles, tools, queues, and dependencies for that system, and it describes how security and privacy operations run end-to-end. If an assessor can’t pick a workflow and trace it to evidence, it’s too generic. 1

Can I satisfy PL-7 by pointing to policies and an SSP?

Usually no. Policies and SSPs help, but PL-7 expects an operational description focused on how the system is run from security and privacy perspectives. Reference those documents, but don’t replace the CONOPS with them. 1

How do I cover privacy in a CONOPS if the system has minimal personal data?

State what data types exist, where they flow, and what operational steps prevent unnecessary collection or sharing. If privacy workflows are not applicable, document the rationale and the role that reviews that conclusion. 1

Do I need separate CONOPS documents for each microservice?

If microservices share the same operational model and boundary, one CONOPS can work with clear service-level appendices. If operations, data, or dependencies differ materially, split them so the document stays testable. 1

What evidence do auditors ask for first?

They often start with access operations, change/deploy approvals, and incident response execution because those produce clear tickets and logs. Make sure your CONOPS descriptions match what those records show. 1

How does Daydream help with PL-7 operationalization without rewriting our documentation stack?

Use Daydream to assign PL-7 ownership, document your implementation procedure, and track recurring evidence artifacts that substantiate the CONOPS. Keep the CONOPS as the “map,” and keep runbooks and tickets as the “terrain.” 1

Footnotes

  1. NIST SP 800-53 Rev. 5 OSCAL JSON

  2. NIST SP 800-53 Rev. 5

Frequently Asked Questions

What makes a CONOPS “system-specific” enough for PL-7?

It names real roles, tools, queues, and dependencies for that system, and it describes how security and privacy operations run end-to-end. If an assessor can’t pick a workflow and trace it to evidence, it’s too generic. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Can I satisfy PL-7 by pointing to policies and an SSP?

Usually no. Policies and SSPs help, but PL-7 expects an operational description focused on how the system is run from security and privacy perspectives. Reference those documents, but don’t replace the CONOPS with them. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

How do I cover privacy in a CONOPS if the system has minimal personal data?

State what data types exist, where they flow, and what operational steps prevent unnecessary collection or sharing. If privacy workflows are not applicable, document the rationale and the role that reviews that conclusion. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Do I need separate CONOPS documents for each microservice?

If microservices share the same operational model and boundary, one CONOPS can work with clear service-level appendices. If operations, data, or dependencies differ materially, split them so the document stays testable. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

What evidence do auditors ask for first?

They often start with access operations, change/deploy approvals, and incident response execution because those produce clear tickets and logs. Make sure your CONOPS descriptions match what those records show. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

How does Daydream help with PL-7 operationalization without rewriting our documentation stack?

Use Daydream to assign PL-7 ownership, document your implementation procedure, and track recurring evidence artifacts that substantiate the CONOPS. Keep the CONOPS as the “map,” and keep runbooks and tickets as the “terrain.” (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream