3.12.2 has a weight of -3 points

(Security Assessment Family 2/4

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Video

Example of Sysytem Security Plan (SSP):

Control 3.12.2 – Develop and Implement Plans of Action

Introduction:
In alignment with the guidelines set forth by the NIST 800-171 and CMMC protocols, our company has proactively written and established a System Security Plan (SSP). Furthermore, we’ve initiated a Plan of Action and Milestones (POA&M) to ensure that any potential discrepancies are effectively addressed. This document outlines the strategies, practices, and management framework for Control 3.12.2.

Scope:
Our procedures span the entirety of our organization, capturing all areas where potential discrepancies in security controls may manifest. Whenever such discrepancies arise, the creation and implementation of remedial plans of action and milestones are mandated.

Procedure:

  1. Identification of Discrepancies:
    Discrepancies are consistently identified during our periodic SSP reviews and evaluations performed by independent auditors.

  2. Development of POA&M:
    Any identified discrepancy triggers the creation of a Plan of Action and Milestones (POA&M). This plan methodically details:

    • The nature of the recognized discrepancy.
    • The proposed corrective action.
    • The projected timeline for its resolution.
    • The individual or department responsible for its completion.

  3. Oversight and Meetings:
    Emphasizing our commitment to robust cybersecurity practices, our Chief Operating Officer (COO) holds regular meetings with the relevant staff members. These sessions:

    • Monitor progress against the POA&M.
    • Address any emerging challenges.
    • If necessary, adjust action plans or timelines to better match the evolving landscape.

  4. Tracking and Logging via Ticketing System:
    A ticketing system is in place to ensure efficient and systematic tracking of all identified discrepancies. Each discrepancy ticket provides:

    • A clear description of the discrepancy.
    • The party responsible for its resolution.
    • The prescribed corrective measure.
    • The estimated date of completion.

    Additionally, this ticketing system provides automated notifications, facilitates follow-ups, and possesses robust reporting capabilities to bolster our oversight and future audit activities.

  5. Roles and Responsibilities:
    Our Facility Security Officer (FSO) plays a pivotal role, overseeing the internal SSP reviews, managing corrections as dictated by the POA&M, and liaising with independent auditors when reviews are necessary.

Example of Plan of Action and Milestones ( POA & M):

Control 3.12.2 – Develop and Implement Plans of Action Plan of Action and Milestones (POA&M)

  1. Creation of System Security Plan (SSP) Document

    • Description: Develop a comprehensive SSP based on guidelines from NIST 800-171 and CMMC protocols.
    • Responsible Party: [Name/Department tasked with creating the SSP]
    • Target Date for Completion: [MM/DD/YYYY]
    • Status: [Draft/In Review/Finalized]
    • Version: [Version Number, if applicable]

  2. Identification of Discrepancies

    • Discrepancy: [Specific discrepancy description]
    • Source of Identification: SSP Review / Independent Auditor
    • Date of Identification: [MM/DD/YYYY]

  3. Plan of Action Development

    • Description of Discrepancy: [Provide further details]
    • Proposed Corrective Action: [Steps/Measures to resolve the discrepancy]
    • Responsible Party: [Name/Department]
    • Target Date for Completion: [MM/DD/YYYY]

  4. Oversight and Monitoring

    • Frequency of COO Meetings: [e.g., Weekly, Monthly]
    • Date of Next Meeting: [MM/DD/YYYY]
    • Key Challenges Addressed: [Challenges discussed and/or potential changes to action plans]
    • Updates/Changes to Action Plan: [Any recalibrations or updates to the action steps]

  5. Tracking and Logging via Ticketing System

    • Ticket ID: [Unique Ticket Number]
    • Status: [Open/In Progress/Closed]
    • Assigned to: [Staff Member/Team]
    • Date of Last Update: [MM/DD/YYYY]
    • Notifications Sent: [Number of automatic notifications sent]
    • Follow-ups: [Details of any follow-ups or reminders]
    • Projected Completion Date: [MM/DD/YYYY]

  6. Roles and Responsibilities

    • FSO Actions Taken: [Specific actions taken by the Facility Security Officer]
    • Auditor Reviews: [Details of any reviews by independent auditors and their findings]
RELEVANT INFORMATION:

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.