System Security Plan (ssp) Categorization: Moderate-Low-Low

Yüklə 1,92 Mb.

səhifə	2/29
tarix	16.05.2018
ölçüsü	1,92 Mb.
	#50588

1 2 3 4 5 6 7 8 9 ... 29

Background

With the transition to Risk Management Framework (RMF) within NISP, all systems requiring authorization or re-authorization after March 2017 will follow the RMF methodology for Local Area Networks, Wide Area Networks and Interconnected Systems.

2. This document is based on the DSS Assessment and Authorization Manual (DAAPM)

For the purposes of Information Systems (IS), this SSP incorporates the content of the Security Controls Traceability Matrix (SCTM) and an IA SOP.

1Applicability

This template is applicable to all Information Systems (IS) that store, process and/or transmit classified information.

2References

This document is based on the following references:

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, Apr 13
CNSSI 1253, Security Categorization and Control Selection for National Security Systems, 12 May 14

3Reciprocity

Reciprocity is defined as a “Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.” [CNSSI 4009]
This agreement, however, does not imply blind acceptance. The body of evidence used for assessments of the subject system will be provided to the other participant(s) who have a vested interest in establishing a mutual agreement. The receiving party will review the assessment evidence (e.g., system security plan (SSP), test plans, test procedures, test reports, exceptions) and determine if there are any deltas in the evidence, (e.g., baseline/overlay controls that were tailored, a test item that was omitted), and identify items that may require negotiations.
Reciprocity means that the system(s) will not be retested or undergo another full assessment. In the spirit of reciprocity, the existing assessments will be accepted; only controls, test items or other pertinent items that were initially omitted are subject to evaluation/testing to assure the system meets any additional protections required for a successful reciprocal agreement.

4System Identification

INSTRUCTIONS (DELETE IN FINAL DOCUMENT): All of the pre-printed text instructions, e.g., sentences that start with insert, summarize or click here to insert text are content boxes. Click on the words to open the box and enter the text.

4.1System Overview

System Name	Click here to enter text.
Unique Identifier	Insert the organization defined unique identifier assigned to the system (e.g. CASTS registration number). (If no number is assigned, leave blank.
Type of Information System (Check One)	Standalone Multi-User Standalone Closed Restricted Network (Local Area Network) Wide Area Network Interconnected System – Contractor-to-Contractor Interconnected System – Contractor-to-Government Other:
Type of Plan:	SSP MSSP (Type Authorization)

The system is in the life-cycle phase noted in the table below.

System Status (Check One)
	Operational	The system is operating and in production.
	Under Development	The system is being designed, developed, or implemented
	Major Modification	The system is undergoing a major change, development, or transition.
	Other	Explain: Click here to enter text.

4.2 Security Categorization

4.2.1Summary Results and Rationale

Summarize information in the sections below; e.g., System X is categorized as a Moderate-Low-Low system processing xxx information types. A risk analysis indicated that no risk adjustment tailoring was required.

4.2.2Categorization Detailed Results

Instruction (DELETE IN FINAL DOCUMENT): Record your information types in the table that follows. Record the sensitivity level for Confidentiality, Integrity, and Availability as High, Moderate, or Low. Add more rows as needed to add more information types. Use NIST SP 800-60 Guide for Mapping Types of Information and Systems to Security Categories, Volumes I & II, Revision 1 for guidance.

Information Impact Categorization

CNSSI 1253 Reference: DAA PM Reference:	2.1.1
Information Impact Categorization
Information Type	Confidentiality Impact	Integrity Impact	Availability Impact	Authority
	Choose an item.	Choose an item.	Choose an item.	e.g., ISO
	Choose an item.	Choose an item.	Choose an item.	e.g., .ISO
Click here to enter text.	Choose an item.	Choose an item.	Choose an item.	e.g., SCG

4.2.2.1System Security Impact Categorization

Instruction (DELETE IN FINAL DOCUMENT): Based on the information types in the above table, select the highest value for each information type and enter into the table below.

CNSSI 1253 Reference: DAA PM Reference:	2.1.2
Final System Impact Categorization
Confidentiality Impact		Integrity Impact	Availability Impact	Authority
Choose an item.		Choose an item.	Choose an item.	e.g., ISO, SCG

4.2.2.2Risk Adjusted System Impact Categorization

CNSSI 1253 Reference: DAA PM Reference:	2.1.3 2.1.3
Risk Adjusted System Impact Categorization
Confidentiality Impact	Integrity Impact	Availability Impact	Authority
Choose an item.	Choose an item.	Choose an item.	e.g., AO, REF, ISO, SCG

4.2.3Control Selection

Instruction (DELETE IN FINAL DOCUMENT): Following ISO, SCA, and AO discussions on control selection, identify the applicable baseline and overlays as appropriate. Fill in the appropriate baseline and overlay(s). The Accessibility, CRN, Classified, Privacy, and Standalone overlays are included and individual controls added/removed by the overlays are identified and may require action.

DAA PM Reference:
Baseline:
e.g., Moderate-Low-Low (MLL)
Overlays (Select/Add all that apply):
X	Closed Restricted Network /Local Area Network
X	Classified Information Overlay
X	Standalone

Yüklə 1,92 Mb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8 9 ... 29