3.12.4 has a weight of -NA points

(Security Assessment Family) 4/4

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.[28]



Example of Sysytem Security Plan (SSP):

    System Security Plan: Documentation and Updates

    1. Policy Statement: The organization develops, documents, and periodically updates system security plans, encompassing system boundaries, environments of operation, security implementation, and connections to other systems.
    2. Purpose: System security plans align security requirements with a set of security controls, providing an unambiguous guide for compliance and risk assessment.
    3. Documentation Format: Security plans can consist of various documents, including existing ones, referencing policies, procedures, and additional materials for more detailed information.
    4. Reduced Documentation: Effective security plans leverage existing documentation related to enterprise architecture, system development, engineering, and acquisition, streamlining the security program’s documentation requirements.
    5. Guidance and Templates: [SP 800-18] offers guidance on developing security plans, while [NIST CUI] provides supplemental materials and templates for Special Publication 800-171.
    6. Importance for Risk Management: Federal agencies use the submitted system security plans to assess risk when processing, storing, or transmitting CUI on nonfederal systems.
    7. Through well-documented and updated security plans, the organization ensures clarity in security implementation, facilitates compliance, and maintains a secure environment for its systems and sensitive data.

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Policy Statement Development

    • Develop a comprehensive policy statement that emphasizes the importance of developing and periodically updating system security plans. Clearly outline the purpose of system security plans as guides for compliance and risk assessment. [Target Date]

    Milestone 2: Documentation Format Determination

    • Determine the appropriate format for system security plans. Consider using existing documentation related to enterprise architecture, system development, engineering, and acquisition to streamline documentation requirements and reduce duplication. [Target Date]

    Milestone 3: Incorporate Security Controls

    • Ensure that system security plans encompass all relevant security controls that align with the organization’s security requirements. Develop clear guidelines for the implementation of security controls within the system security plans. [Target Date]

    Milestone 4: Guidance Familiarization

    • Familiarize relevant personnel with the guidance provided in [SP 800-18] for developing security plans. Train the personnel responsible for creating and updating system security plans to adhere to the recommended practices. [Target Date]

    Milestone 5: Template Utilization

    • Utilize the templates provided in [NIST CUI] for developing system security plans related to Controlled Unclassified Information (CUI) and [SP 800-171]. Customize the templates to fit the organization’s specific needs and security requirements. [Target Date]

    Milestone 6: Security Plan Development

    • Begin the development of system security plans for each organizational system. Collaborate with relevant stakeholders, including system owners, security personnel, and IT teams, to ensure comprehensive coverage of all aspects of security implementation. [Target Date]

    Milestone 7: Documentation Review and Validation

    • Conduct a thorough review and validation of the developed system security plans to ensure accuracy, completeness, and alignment with security controls and requirements. Seek input and feedback from stakeholders for improvements. [Target Date]

    Milestone 8: Periodic Updates Establishment

    • Establish a process for periodically updating system security plans. Define the frequency and triggers for updates, such as changes in system architecture, new security threats, or updates to security controls. [Target Date]

    Milestone 9: Communication and Awareness

    • Communicate the importance of system security plans and their role in maintaining a secure environment to all relevant personnel. Raise awareness of the process for updating security plans and the significance of compliance with the defined guidelines. [Target Date]

    Milestone 10: Continuous Improvement

    • Encourage continuous improvement by continuously reviewing and enhancing system security plans based on lessons learned, feedback from risk assessments, and emerging security threats. [Target Date]

    RELEVANT INFORMATION:

    System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [SP 800-18] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.