Level 2

Description:   

System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition.  Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.  [SP 800-8] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-7 including templates for system security plans.


Priority: High   


Domain:  SECURITY ASSESSMENT (CA) 


Category: Documentation 


Services Associated with AWS:   

  • AWS Organizations, AWS Identity and Access Management (IAM), AWS Config, AWS Security Hub

Services Associated with Azure: 

  • Azure Key Vault
  • Azure Resource Manager (ARM) templates 
  • Azure Policy 


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative:  documented System Security Plan (SSP)


Possible Technology Considerations : 

NA


What needs to be answered :  

System security plans describe how the company meets the security requirements but do not provide detailed, technical descriptions of the specific design or implementation. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to company operations and assets, employees, and other organizations, if the plan is implemented as intended. Is the security plan distributed to the relevant company employees and are those employees communicated with or given a revised copy when things are changed? Is the plan periodically reviewed (annually) and modified if needed? 

Checks for AWS 

  • Development and Documentation of System Security Plans
    Description: This check ensures that system security plans are developed, documented, and updated periodically. These plans should describe system boundaries, system environments of operation, the implementation of security requirements, and connections with other systems.
  • Detailed Compliance of System Security Plans
    Description: This check verifies that the system security plans provide sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans, ensuring subsequent determinations of risk if the plan is implemented as intended.
  • Effective Use of References in System Security Plans
    Description: This check validates that the system security plans make extensive use of references to policies, procedures, and additional documents for more detailed information, reducing the documentation requirements associated with security programs.
  • Consideration of System Security Plans for Risk Management
    Description: This check confirms that system security plans and plans of action are considered as critical inputs for overall risk management decisions, including the decision to process, store, or transmit CUI on a system hosted by a non-federal organization.
     

Checks for Azure 

  • System Security Plan Review and Update
  • Description: This policy ensures that a system security plan (SSP) is in place for relevant resources and that it is reviewed and updated periodically, based on defined intervals (e.g., annually).

  • Enforce Reference Usage in System Security Plans
  • Description: This policy enforces the use of references to policies, procedures, and additional documents in the system security plans, where more detailed information can be obtained.

  • System Security Plan Compliance Check
  • Description: This policy evaluates the system security plans to ensure that they provide sufficient information for a design and implementation that is unambiguously compliant with the intended security controls and requirements.

More Details:  

System security plan in place that is reviewed and updated on a regular basis.