Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
System Security Plans (SSPs) shall be classified in accordance with the Program Security Classification Guide (SCG) and in order to minimize OPSEC indicators.
The organization:
Develops a security plan for the IS that:
Conforms to the SSP template as provided by the ISSM
Is consistent with the enterprise architecture.
Explicitly defines the authorization boundary for the system.
Describes the operational context of the information system in terms of missions and business processes.
Describes the CONOPS for the information system including, at a minimum, the purpose of the system and a description of the system architecture.
Provides the impact levels for Confidentiality, Integrity and Availability of the information system including supporting rationale.
Describes the functional architecture for the information system that identifies:
External interfaces, the information being exchanged across the interfaces, and the protection mechanisms associated with each interface.
User roles and the access privileges assigned to each role.
Unique security requirements.
Types of information processed, stored, or transmitted by the information system and any specific protection needs in accordance with applicable federal laws, EOs, directives, policies, regulations, standards, and guidance (to include any unique requirements of the Information Owner/Steward).
Restoration priority of information or information system services.
Describes the operational environment for the information system.
Describes relationships with or connections to other information systems, include ISAs and ATCs, as applicable.
Identifies the security requirements for the information system, as captured in the SCTM. See Appendix C for guidance on SCTM creation.
Identifies controls tailored in or tailored out by the AO.
Identifies any exceptions, which denotes a control or part of a control that is not met and is an accepted risk by the AO. Exceptions should also be captured on the POA&M unless otherwise directed by the AO.
Identifies the type of control (common, system specific, or hybrid) and describes how the security controls are implemented or planned to be implemented including a rationale for any tailoring and supplementation decisions
Identifies the controls tailored out/in/modified as approved by the DAO
Identifies any exceptions; i.e., a control or part of a control that is not or cannot be met and is an accepted risk by the DAO. Exceptions shall also be included in the POA&M.
Approved by the DAO ICW the SCA prior to the plan implementation
Click here to enter text.
Distributes copies of the plan and communicates subsequent changes to the plan to all required stakeholders, to include the DAO
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization plans and coordinates security-related activities affecting the IS with all relevant organizations or groups before conducting such activities in order to reduce the impact on other organizational entities.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Rules of Behavior are addressed as part of user security awareness and training. See Security Training [AT-3]. Signed acknowledgement of the rules of behavior is covered via user access agreements. See User Agreements [PS-6]. The rules of behavior are also referred to as the Acceptable Use Policy (AUP). See the DAA PM for a list of the minimum responsibilities of a General User.
The organization:
Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage
Click here to enter text.
Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system
Click here to enter text.
Reviews and updates the rules of behavior at least annually
Click here to enter text.
Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.18.3.1PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
This control can be met through detailed descriptions in the SSP of the system overview, system environment, facility diagram, network architecture, system diagram, and system connectivity.
The organization:
Develops an information security architecture for the IS that: describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity and availability of organizational information; describes how the IS architecture is integrated into and supports the enterprise architecture; and describes any information security assumptions about, and dependencies on, external services
Click here to enter text.
Reviews and updates the information security at least annually or when changes to the IS or its environment warrant to reflect updates in the enterprise architecture
Click here to enter text.
Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS) (if appropriate), and organizational procurements/acquisitions
Click here to enter text.
Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.18.6.1PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization designs its security architecture using a defense in depth approach that allocates security safeguards based on security impact to Program IS; and ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.18.6.2PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization requires that equipment and services to meet the security safeguards based on security impact to Program ISand its operational environment are obtained from different suppliers.