<INSERT SYSTEM NAME>

System Security Plan (SSP)

<Organization Name>

Prepared By

_______________________


Document Change History

Version Number

Date

Author(s)

Description


Executive Summary

Organizations are required to identify each information system that contains, processes, and transmits state data and information and to prepare and implement a plan for the security and privacy of these systems. The objective of system security planning is to improve protection of information technology (IT) resources. All systems have some level of sensitivity, and require protection as part of best management practices. The protection of a system must be documented in a system security plan.

The security plan is viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It reflects input from management responsible for the system, including information owners, the system operator, the system security manager, and system administrators. The system security plan delineates responsibilities and expected behavior of all individuals who access the system.

The purpose of this security plan is to provide an overview of the security of the [System Name] and describe the controls and critical elements in place or planned for, based on NIST Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems. Each applicable security control has been identified as either in place or planned. This SSP follows guidance contained in NIST Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems, February 2006.

This System Security Plan (SSP) provides an overview of the security requirements for [System Name] and describes the controls in place or planned for implementation to provide a level of security appropriate for the information processed as of the date indicated in the approval page.

Note: The SSP is a living document that will be updated periodically to incorporate new and/or modified security controls. The plan will be revised as the changes occur to the system, the data or the technical environment in which the system operates.


1. Information System Name/Title:

• Unique identifier and name given to the system.

System Name

2. Information System Categorization:

• Identify the appropriate FIPS 199 categorization based on the types of information handled by this system

<Complete the table for each “type” of information processed by this system. Refer to NIST SP800-60 for guidance on Information Type. Examples of information types are – privacy, medical, propriety, financial, investigative, contractor sensitive, security management, administrative, etc.>

Confidentiality

(HIGH/MOD/LOW)

Integrity

(HIGH/MOD/LOW)

Availability

(HIGH/MOD/LOW)

Information Type 1

Information Type 2

Information Type 3

Highest Information Type Impact

<Complete the following table for this information system based on the Highest Information Type Impact from the table above>

LOW

MODERATE

HIGH

Confidentiality

Integrity

Availability

Overall system categorization

LOW / MODERATE / HIGH

FIPS 199 Guide for Developing Security Plans for Federal Information Systems POTENTIAL IMPACT

Security Objective

LOW

MODERATE

HIGH

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

[44 U.S.C., SEC. 3542]

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

[44 U.S.C., SEC. 3542]

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

Ensuring timely and reliable access to and use of information.

[44 U.S.C., SEC. 3542]

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Table 1: FIPS 199 Categorization

3. Information System Owner:

The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. In coordination with the information system security officer, the information system owner is responsible for the development and maintenance of the security plan and ensures that the system is deployed and operated in accordance with the agreed-upon security controls.

System Owner’s Name

Title

Organization/Division

Address

Email

Phone #1

Phone #2

Signature

Date

4. Authorizing Official:

• Senior management official designated as the authorizing official.

Authorizing Official’s Name

Title

Organization/Division

Address

Email

Phone #1

Phone #2

Signature

Date

5. Agency Senior Information Security Officer (SAISO):

• Name, title, address, email address, and phone number of person who is responsible for the security of the system.

Name

Title

Organization/Division

Address

Email

Phone #1

Phone #2

Signature

Date

6. Other Designated Contacts:

• List other key personnel, if applicable; include their title, address, email address, and phone number.

Key Personnel

Key Personnel

Name

Title

Organization

Address

Email

Phone #1

Phone #2

7. Information System Operational Status:

• Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status.

Operational

Under Development

Major Modification

8. Information System Type:

• Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose.

Major Application

General Support System

9. General System Description/Purpose

• Describe the function or purpose of the system and the information processes.

10. System Environment

• Provide a general description of the technical system. Include the primary hardware, software, and communications equipment.

11. System Interconnections/Information Sharing

• List interconnected systems and system identifiers (if appropriate), provide the system, name, organization, system type (major application or general support system), indicate if there is an Interconnection Security Agreement (ISA)/MOU/MOA or Data Sharing agreement on file, date of agreement to interconnect, FIPS 199 category, C&A status, and the name of the authorizing official.

System

Name

Organization

Type

Agreement

(ISA/MOU/MOA)

Date

FIPS 199 Category

C&A

Status

Auth.

Official

12. Related Laws/Regulations/Policies

List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system. For example, if this system handles Protected Health Information (PHI), it may be subject to HIPAA regulations or if this system handles credit card information it may be subject to Payment Card Industry Data Security Standard (PCI-DSS).

13. Minimum Security Controls

Select the appropriate minimum security control baseline (low-, moderate-, high-impact) from NIST SP 800-53, then provide a thorough description of how all the minimum security controls in the applicable baseline are being implemented or planned to be implemented. The description should contain: 1) the security control title; 2) how the security control is being implemented or planned to be implemented; 3) any scoping guidance that has been applied and what type of consideration; and 4) indicate if the security control is a common control and who is responsible for its implementation.

If your agency is a full-service GETS agency, then select ONE of the options below:

Check One

For full-service GETS agency

This system requires LOW IMPACT security control set

This system requires MODERATE IMPACT security control set

This system requires HIGH IMPACT security control set

This system requires MODERATE IMPACT with HIPAA/HITECH security control set

If your agency is NOT a full-service GETS agency, then complete security control documentation using one of the control worksheets appropriate to the overall security impact rating of this system (High/Moderate/Low). Completed security control worksheet must be attached to the security plan prior to obtaining approval.

14. Information System Security Plan Completion Date: _____________________

• Enter the completion date of the plan.

15. Information System Security Plan Approval Date: _______________________

• Enter the date the system security plan was approved and indicate if the approval documentation is attached or on file.

Topic revision: r1 - 2014-04-01 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback