Requirement text: CA.2.157: Develop, document, and periodically update system security plans that
describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
System security plans relate security requirements to a set of security controls. System
security plans also describe, at a high level, how the security controls meet those security
requirements, but do not provide detailed, technical descriptions of the design or
implementation of the controls. System security plans contain sufficient information to
enable a design and implementation that is unambiguously compliant with the intent of the
plans and subsequent determinations of risk if the plan is implemented as intended. Security
plans need not be single documents; the plans can be a collection of various documents
including documents that already exist. Effective security plans make extensive use of
references to policies, procedures, and additional documents (e.g., design and
implementation specifications) where more detailed information can be obtained. This
reduces the documentation requirements associated with security programs and maintains
security-related information in other established management/operational areas related to
enterprise architecture, system development life cycle, systems engineering, and acquisition.
Federal agencies may consider the submitted system security plans and plans of action as
critical inputs to an overall risk management decision to process, store, or transmit CUI on a
system hosted by a nonfederal organization and whether it is advisable to pursue an
agreement or contract with the nonfederal organization.
NIST SP 800-18 provides guidance on developing security plans.
CMMC CLARIFICATION
A system security plan (SSP) is a document that outlines how an organization implements
its security requirements. An SSP outlines the roles and responsibilities of security
personnel. It details the different security standards and guidelines that the organization
follows. An SSP should include high-level diagrams that show how connected systems talk
to each other. The organization should outline in its SSP its design philosophies. Design
philosophies include defense-in-depth strategies as well as allowed interfaces and network
protocols. All information in the SSP should be high-level. Include enough information in
the plan to guide the design implementation of the organization’s systems. Reference
existing policies and procedures in the SSP.
Example
You are in charge of system security in your organization. As part of your job, you develop a
system security plan (SSP). The SSP tells all employees how they can meet the organization’s
system security goals. The information in the SSP should explain how you should handle
your important information. Examples include who can access important information,
where you should store it, and how you can transmit it. By defining a clear SSP, you can
design and build your network to ensure that it meets the SSP-defined goals. You can also
use your SSP to outline the organization’s:
• security requirements;
• the current status of the requirements; and
• your plan to meet the requirements in the future.
References
• NIST SP 800-171 Rev 1 3.12.4
• NIST CSF v1.1 PR.IP-7
• NIST SP 800-53 Rev 4 PL-2