System Security Plan (ssp) Categorization: Moderate-Low-Low



Yüklə 1,92 Mb.
səhifə2/29
tarix16.05.2018
ölçüsü1,92 Mb.
#50588
1   2   3   4   5   6   7   8   9   ...   29

Background


With the transition to Risk Management Framework (RMF) within NISP, all systems requiring authorization or re-authorization after March 2017 will follow the RMF methodology for Local Area Networks, Wide Area Networks and Interconnected Systems.

2. This document is based on the DSS Assessment and Authorization Manual (DAAPM)


For the purposes of Information Systems (IS), this SSP incorporates the content of the Security Controls Traceability Matrix (SCTM) and an IA SOP.

1Applicability


This template is applicable to all Information Systems (IS) that store, process and/or transmit classified information.

2References


This document is based on the following references:

  • NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, Apr 13

  • CNSSI 1253, Security Categorization and Control Selection for National Security Systems, 12 May 14

3Reciprocity


Reciprocity is defined as a “Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.” [CNSSI 4009]
This agreement, however, does not imply blind acceptance. The body of evidence used for assessments of the subject system will be provided to the other participant(s) who have a vested interest in establishing a mutual agreement. The receiving party will review the assessment evidence (e.g., system security plan (SSP), test plans, test procedures, test reports, exceptions) and determine if there are any deltas in the evidence, (e.g., baseline/overlay controls that were tailored, a test item that was omitted), and identify items that may require negotiations.
Reciprocity means that the system(s) will not be retested or undergo another full assessment. In the spirit of reciprocity, the existing assessments will be accepted; only controls, test items or other pertinent items that were initially omitted are subject to evaluation/testing to assure the system meets any additional protections required for a successful reciprocal agreement.


4System Identification


INSTRUCTIONS (DELETE IN FINAL DOCUMENT): All of the pre-printed text instructions, e.g., sentences that start with insert, summarize or click here to insert text are content boxes. Click on the words to open the box and enter the text.

4.1System Overview


System Name

Click here to enter text.

Unique Identifier

Insert the organization defined unique identifier assigned to the system (e.g. CASTS registration number). (If no number is assigned, leave blank.

Type of Information System (Check One)

 Standalone

 Multi-User Standalone

 Closed Restricted Network (Local Area Network)

 Wide Area Network

 Interconnected System – Contractor-to-Contractor

 Interconnected System – Contractor-to-Government

 Other:


Type of Plan:

 SSP

 MSSP (Type Authorization)



The system is in the life-cycle phase noted in the table below.

System Status (Check One)



Operational

The system is operating and in production.



Under Development

The system is being designed, developed, or implemented



Major Modification

The system is undergoing a major change, development, or transition.



Other

Explain: Click here to enter text.

4.2 Security Categorization

4.2.1Summary Results and Rationale


Summarize information in the sections below; e.g., System X is categorized as a Moderate-Low-Low system processing xxx information types. A risk analysis indicated that no risk adjustment tailoring was required.

4.2.2Categorization Detailed Results


Instruction (DELETE IN FINAL DOCUMENT): Record your information types in the table that follows. Record the sensitivity level for Confidentiality, Integrity, and Availability as High, Moderate, or Low. Add more rows as needed to add more information types. Use NIST SP 800-60 Guide for Mapping Types of Information and Systems to Security Categories, Volumes I & II, Revision 1 for guidance.

Information Impact Categorization


CNSSI 1253 Reference:

DAA PM Reference:



2.1.1



Information Impact Categorization

Information Type

Confidentiality Impact

Integrity Impact

Availability Impact

Authority



Choose an item.

Choose an item.

Choose an item.

e.g., ISO



Choose an item.

Choose an item.

Choose an item.

e.g., .ISO

Click here to enter text.

Choose an item.

Choose an item.

Choose an item.

e.g., SCG

4.2.2.1System Security Impact Categorization


Instruction (DELETE IN FINAL DOCUMENT): Based on the information types in the above table, select the highest value for each information type and enter into the table below.

CNSSI 1253 Reference:

DAA PM Reference:



2.1.2



Final System Impact Categorization

Confidentiality Impact

Integrity Impact

Availability Impact

Authority

Choose an item.

Choose an item.

Choose an item.

e.g., ISO, SCG

4.2.2.2Risk Adjusted System Impact Categorization


CNSSI 1253 Reference:

DAA PM Reference:



2.1.3

2.1.3


Risk Adjusted System Impact Categorization

Confidentiality Impact

Integrity Impact

Availability Impact

Authority

Choose an item.

Choose an item.

Choose an item.

e.g., AO, REF, ISO, SCG

4.2.3Control Selection


Instruction (DELETE IN FINAL DOCUMENT): Following ISO, SCA, and AO discussions on control selection, identify the applicable baseline and overlays as appropriate. Fill in the appropriate baseline and overlay(s). The Accessibility, CRN, Classified, Privacy, and Standalone overlays are included and individual controls added/removed by the overlays are identified and may require action.

DAA PM Reference:



Baseline:

e.g., Moderate-Low-Low (MLL)

Overlays (Select/Add all that apply):

X

Closed Restricted Network /Local Area Network

X

Classified Information Overlay

X

Standalone






Yüklə 1,92 Mb.

Dostları ilə paylaş:
1   2   3   4   5   6   7   8   9   ...   29




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin