Beruflich Dokumente
Kultur Dokumente
Executive Summary
Introduction
The purpose of the system security plan (SSP) is to provide an overview of federal information
system security requirements and describe the controls in place or planned to meet those
requirements. The SSP also delineates responsibilities and expected behavior of all individuals
who access the information system and should be viewed as documentation of the structured
process for planning adequate, cost-effective security protection for a major application or
general support system. It should reflect input from various managers with responsibilities
concerning the information system, including information owner(s), system owner(s), system
operator(s), and the information security manager. Additional information may be included in the
basic plan, and the structure and format organized according to requirements.
Each SSP is developed in accordance with the guidelines contained in National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing
Security Plans for Information Technology Systems, and applicable risk mitigation guidance and
standards.
This document details the degree to which the <INSERT SYSTEM NAME> conforms to
recommended federal security controls and the manner in which those controls are
implemented.
Intended Audience
This document is designed to be used by those parties responsible for managing and/or
creating the SSP for an individual general support system or major application. System owners
are organizationally responsible for conducting these activities; however, guidance and
implementation assistance is frequently provided at an organizational level. Within FDIC,
guidance to complete the SSP, as well as support for the activities associated with, is provided
by the Security Policy and Compliance Section.
i
© <Insert Company Name> Sensitive Information – For Official Use Only
<<INSERT COMPANY NAME> System Name>: System Security Plan
<Month Day, Year>
ii
© <Insert Company Name> Sensitive Information – For Official Use Only
<<INSERT COMPANY NAME> System Name>: System Security Plan
<Month Day, Year>
System Owner
Name: Address:
Agency: E-mail
Address:
Authorizing Official
Name: Address:
1
© <Insert Company Name> Sensitive Information – For Official Use Only
<<INSERT COMPANY NAME> System Name>: System Security Plan
<Month Day, Year>
Address:
Agency: E-mail
Address:
2
© <Insert Company Name> Sensitive Information – For Official Use Only
<<INSERT COMPANY NAME> System Name>: System Security Plan
<Month Day, Year>
3
© <Insert Company Name> Sensitive Information – For Official Use Only
<<INSERT COMPANY NAME> System Name>: System Security Plan
<Month Day, Year>
Controls not required for testing at a moderate baseline = Light Diagonally Down
Shaded
4
© <Insert Company Name> Sensitive Information – For Official Use Only
<<INSERT COMPANY NAME> System Name>: System Security Plan
<Month Day, Year>
Configuration Management
Contingency Planning
System and Services
Personnel Security
Incident Response
Risk Assessment
Identification and
Media Protection
Access Control
Authentication
Maintenance
Protection
Protection
Acquisition
Planning
Integrity
RA-1 PL-1 SA-1 CA-1 PS-1 PE-1 CP-1 CM-1 MA-1 SI-1 MP-1 IR-1 AT-1 IA-1 AC-1 AU-1 SC-1
RA-2 PL-2 SA-2 CA-2 PS-2 PE-2 CP-2 CM-2 MA-2 SI-2 MP-2 IR-2 AT-2 IA-2 AC-2 AU-2 SC-2
RA-3 PL-3 SA-3 CA-3 PS-3 PE-3 CP-3 CM-3 MA-3 SI-3 MP-3 IR-3 AT-3 IA-3 AC-3 AU-3 SC-3
RA-4 PL-4 SA-4 CA-4 PS-4 PE-4 CP-4 CM-4 MA-4 SI-4 MP-4 IR-4 AT-4 IA-4 AC-4 AU-4 SC-4
RA-5 PL-5 SA-5 CA-5 PS-5 PE-5 CP-5 CM-5 MA-5 SI-5 MP-5 IR-5 AT-5 IA-5 AC-5 AU-5 SC-5
PL-6 SA-6 CA-6 PS-6 PE-6 CP-6 CM-6 MA-6 SI-6 MP-6 IR-6 IA-6 AC-6 AU-6 SC-6
SA-7 CA-7 PS-7 PE-7 CP-7 CM-7 SI-7 MP-7 IR-7 IA-7 AC-7 AU-7 SC-7
SA-8 PS-8 PE-8 CP-8 CM-8 SI-8 AC-8 AU-8 SC-8
SA-9 PE-9 CP-9 SI-9 AC-9 AU-9 SC-9
SA-10 PE-10 CP-10 SI-10 AC-10 AU-10 SC-10
SA-11 PE-11 SI-11 AC-11 AU-11 SC-11
PE-12 SI-12 AC-12 SC-12
PE-13 AC-13 SC-13
PE-14 AC-14 SC-14
PE-15 AC-15 SC-15
PE-16 AC-16 SC-16
PE-17 AC-17 SC-17
PE-18 AC-18 SC-18
PE-19 AC-19 SC-19
AC-20 SC-20
SC-21
SC-22
SC-23
The organization categorizes the information system and the information processed,
stored, or transmitted by the system in accordance with applicable laws, Executive
Orders, directives, policies, regulations, standards, and guidance and documents the
results (including supporting rationale) in the system security plan. Designated senior-
level officials within the organization review and approve the security categorizations.
Security Control Implementation Details:
Met Partially Met Not Met N/A Common Control
10
11
12
13
The organization manages the information system using a system development life
cycle methodology that includes information security considerations.
Security Control Implementation Details:
Met Partially Met Not Met N/A Common Control
SA-4 Acquisitions
Security Control Requirement:
The organization includes security requirements and/or security specifications, either
explicitly or by reference, in information system acquisition contracts based on an
assessment of risk and in accordance with applicable laws, Executive Orders, directives,
policies, regulations, and standards.
Security Control Implementation Details:
Met Partially Met Not Met N/A Common Control
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
14
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
15
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
16
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
17
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
18
19
20
21
22
23
24
The organization authorizes and controls information system-related items entering and
exiting the facility and maintains appropriate records of those items.
Security Control Implementation Details:
Met Partially Met Not Met N/A Common Control
25
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
26
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
27
28
29
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
30
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
31
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
32
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
33
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
34
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
35
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
36
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
37
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
38
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
39
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
40
41
42
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
43
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
44
45
46
<Insert explanation of compensating security controls for partially met or not met requirements
that provide an equivalent security capability or level of protection for the information system>
47
48
49
granting system access informing potential users: (i) that the user is accessing a U.S.
Government information system; (ii) that system usage may be monitored, recorded, and
subject to audit; (iii) that unauthorized use of the system is prohibited and subject to
criminal and civil penalties; and (iv) that use of the system indicates consent to monitoring
and recording. The system use notification message provides appropriate privacy and
security notices (based on associated privacy and security policies or summaries) and
remains on the screen until the user takes explicit actions to log on to the information
system.
Security Control Implementation Details:
Met Partially Met Not Met N/A Common Control
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
50
51
52
The organization: (i) establishes usage restrictions and implementation guidance for
organization-controlled portable and mobile devices; and (ii) authorizes, monitors, and
controls device access to organizational information systems.
Security Control Implementation Details:
Met Partially Met Not Met N/A Common Control
53
54
55
56
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
57
58
59
60
61
62
63
64
communications sessions.
Security Control Implementation Details:
Met Partially Met Not Met N/A Common Control
PLEASE ADDRESS ONE OF THE FOLLOWING THREE AREAS (WHERE APPLICABLE) AND
PROVIDE EXPLANATIONS ACCORDINGLY
65
Appendix A
66