03.15.02: System Security Plan
Control Familly: Planning
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-18 [63]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.15.02
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
PL-02
a. Develop a system security plan that:
1. Defines the constituent system components;
2. Identifies the information types processed, stored, and transmitted by the system;
3. Describes specific threats to the system that are of concern to the organization;
4. Describes the operational environment for the system and any dependencies on or connections to other systems or system components;
5. Provides an overview of the security requirements for the system;
6. Describes the safeguards in place or planned for meeting the security requirements;
7. Identifies individuals that fulfill system roles and responsibilities; and
8. Includes other relevant information necessary for the protection of CUI.
b. Review and update the system security plan [Assignment: organization-defined frequency].
c. Protect the system security plan from unauthorized disclosure.
Discussion:
System security plans provide key characteristics of the system that is processing, storing, and transmitting CUI and how the system and information are protected. System security plans contain sufficient information to enable a design and implementation that are unambiguously compliant with the intent of the plans and the subsequent determinations of risk if the plan is implemented as intended. System security plans can be a collection of documents, including documents that already exist. Effective system security plans reference policies, procedures, and documents (e.g., design specifications) that provide additional detailed information. This reduces the documentation requirements associated with security programs and maintains security information in other established management or operational areas related to enterprise architecture, the system development life cycle, systems engineering, and acquisition.
Assessment Methods and Objectives
Examine [SELECT FROM: security planning policy and procedures; procedures for system security plan development and implementation; procedures for system security plan reviews and updates; enterprise architecture; system security plan; records of system security plan reviews and updates; risk assessments; risk assessment results; security architecture and design documentation; other relevant documents or records]
Interview [SELECT FROM: personnel with system security planning and plan implementation responsibilities; system developers; personnel with information security responsibilities]
Test [SELECT FROM: processes for system security plan development, review, update, and approval]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.15.02.ODP[01]: the frequency at which the system security plan is reviewed and updated is defined.
A.03.15.02.a.01: a system security plan that defines the constituent system components is developed.
A.03.15.02.a.02: a system security plan that identifies the information types processed, stored, and transmitted by the system is developed.
A.03.15.02.a.03: a system security plan that describes specific threats to the system that are of concern to the organization is developed.
A.03.15.02.a.04: a system security plan that describes the operational environment for the system and any dependencies on or connections to other systems or system components is developed.
A.03.15.02.a.05: a system security plan that provides an overview of the security requirements for the system is developed.
A.03.15.02.a.06: a system security plan that describes the safeguards in place or planned for meeting the security requirements is developed.
A.03.15.02.a.07: a system security plan that identifies individuals that fulfill system roles and responsibilities is developed.
A.03.15.02.a.08: a system security plan that includes other relevant information necessary for the protection of CUI is developed.
A.03.15.02.b[01]: the system security plan is reviewed <A.03.15.02.ODP[01]: frequency>.
A.03.15.02.b[02]: the system security plan is updated <A.03.15.02.ODP[01]: frequency>.
A.03.15.02.c: the system security plan is protected from unauthorized disclosure.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A