FedRAMP System Security Plan (Template)

3,113

Published on

This document details the System Security Plan (SSP) for the <information>security controls. This System Security Plan was written in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Information Technology Systems. <company> is a <privately /> owned company headquartered in <city>. Completion of this SSP, which describes how U.S. federal information will be safeguarded, is a requirement of the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, and Public Law 100-235, the Computer Security Act of 1987.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,113
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "FedRAMP System Security Plan (Template)"

  1. 1. System Security Plan<Information System Name>, <Date> FedRAMP System Security Plan (Template) <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
  2. 2. System Security Plan<Information System Name>, <Date> System Security Plan Prepared by Identification of Organization that Prepared this Document Organization Name Street Address <insert logo> Suite/Room/Building City, State Zip Prepared for Identification of Cloud Service Provider Organization Name Street Address <insert logo> Suite/Room/Building City, State ZipCompany Sensitive and Proprietary Page 2
  3. 3. System Security Plan<Information System Name>, <Date> Executive SummaryThis document details the System Security Plan (SSP) for the <Information SystemName>security controls. This System Security Plan was written in accordance withNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-18,Revision 1, Guide for Developing Security Plans for Information Technology Systems.<Company Name> is a <privately/publicly> owned company headquartered in <City,State>. Completion of this SSP, which describes how U.S. federal information will besafeguarded, is a requirement of the Office of Management and Budget (OMB) CircularA-130, Management of Federal Information Resources, Appendix III, Security of FederalAutomated Information Resources, and Public Law 100-235, the Computer Security Actof 1987.Company Sensitive and Proprietary Page 3
  4. 4. System Security Plan<Information System Name>, <Date> Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP OfficeCompany Sensitive and Proprietary Page 4
  5. 5. Table of ContentsAbout This Document ................................................................................................................................. 20Who should use this document? ................................................................................................................ 20How this document is organized ................................................................................................................. 20Conventions Used In This Document .......................................................................................................... 21How to contact us ....................................................................................................................................... 21Systems Security Plan Approvals................................................................................................................. 231. Information System Name/Title ...................................................................................................... 242. Information System Categorization................................................................................................. 242.1. Information Types ........................................................................................................................... 242.2. Security Objectives Categorization (FIPS 199) ................................................................................ 262.3. E-Authentication Determination (E-Auth) ...................................................................................... 273. Information System Owner ............................................................................................................. 284. Authorizing Official.......................................................................................................................... 285. Other Designated Contacts ............................................................................................................. 286. Assignment of Security Responsibility ............................................................................................ 297. Information System Operational Status .......................................................................................... 308. Information System Type ................................................................................................................ 308.1. Cloud Service Model ....................................................................................................................... 308.2. Leveraged Provisional Authorizations ............................................................................................. 319. General System Description ............................................................................................................ 319.1. System Function or Purpose ........................................................................................................... 329.2. Information System Components and Boundaries ......................................................................... 329.3. Types of Users ................................................................................................................................. 329.4. Network Architecture...................................................................................................................... 3310. System Environment ....................................................................................................................... 33 10.1.1. Hardware Inventory ........................................................................................................ 33 10.1.2. Software Inventory.......................................................................................................... 34 10.1.3. Network Inventory .......................................................................................................... 35 10.1.4. Data Flow ........................................................................................................................ 36 10.1.5. Ports, Protocols and Services .......................................................................................... 3611. System Interconnections ................................................................................................................. 37 Company Sensitive and Proprietary Page 5
  6. 6. <Information System Name> System Security PlanVersion <0.00> / <Date>12. Applicable Laws and Regulations .................................................................................................... 3912.1. Applicable Laws ............................................................................................................................... 3912.2. Applicable Standards and Guidance ............................................................................................... 3913. Minimum Security Controls ............................................................................................................ 4013.1. Access Control (AC) ......................................................................................................................... 53 13.1.1. Access Control Policy and Procedures Requirements (AC-1) .......................................... 53 13.1.2. Account Management (AC-2) .......................................................................................... 54 13.1.2.1. Control Enhancements for Account Management ......................................................... 56 13.1.2.1.1. Control Enhancement AC-2 (1) ................................................................................... 56 13.1.2.1.2. Control Enhancement AC-2 (2) ................................................................................... 57 13.1.2.1.3. Control Enhancement AC-2 (3) ................................................................................... 58 13.1.2.1.4. Control Enhancement AC-2 (4) ................................................................................... 58 13.1.2.1.5. Control Enhancement AC-2 (7) ................................................................................... 59 13.1.3. Access Enforcement (AC-3) ............................................................................................. 60 13.1.3.1. Control Enhancement for Access Enforcement .............................................................. 61 13.1.3.1.1. Control Enhancement AC-3 (3) ................................................................................... 61 13.1.4. Information Flow Enforcement (AC-4) ............................................................................ 63 13.1.5. Separation of Duties (AC-5)............................................................................................. 64 13.1.6. Least Privilege (AC-6) ...................................................................................................... 65 13.1.6.1. Control Enhancements for Least Privilege ...................................................................... 66 13.1.6.1.1. Control Enhancement AC-6 (1) ................................................................................... 66 13.1.6.1.2. Control Enhancement AC-6 (2) ................................................................................... 67 13.1.7. Unsuccessful Login Attempts (AC-7) ............................................................................... 68 13.1.8. System Use Notification (AC-8) ....................................................................................... 69 13.1.9. Concurrent Session Control (AC-10)................................................................................ 72 13.1.10. Session Lock (AC-11) ....................................................................................................... 72 13.1.10.1. Control Enhancements for Session Lock ......................................................................... 73 13.1.10.1.1. Control Enhancement AC-11 (1) ................................................................................. 73 13.1.11. Permitted Actions w/o Identification or Authentication (AC-14) ................................... 74 13.1.11.1. Control Enhancements for Permitted Actions w/o Identifcation or Auth. ..................... 75 13.1.11.1.1. Control Enhancement AC-14(1) .................................................................................. 75 13.1.12. Security Attributes (AC-16) ............................................................................................. 76 13.1.13. Remote Access (AC-17) ................................................................................................... 77 13.1.13.1. Control Enhancements for Remote Control .................................................................... 78 Company Sensitive and Proprietary Page 6
  7. 7. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.1.13.1.1. Control Enhancement AC-17 (1) ................................................................................. 78 13.1.13.1.2. Control Enhancement AC-17 (2) ................................................................................. 79 13.1.13.1.3. Control Enhancement AC-17 (3) ................................................................................. 80 13.1.13.1.4. Control Enhancement AC-17 (4) ................................................................................. 80 13.1.13.1.5. Control Enhancement AC-17 (5) ................................................................................. 81 13.1.13.1.6. Control Enhancement AC-17 (7) ................................................................................. 82 13.1.13.1.7. Control Enhancement AC-17 (8) ................................................................................. 83 13.1.14. Wireless Access Restrictions (AC-18) .............................................................................. 84 13.1.14.1. Wireless Access Restrictions Control Enhancements...................................................... 85 13.1.14.1.1. Control Enhancement AC-18 (1) ................................................................................. 85 13.1.14.1.2. Control Enhancement AC-18 (2) ................................................................................. 86 13.1.15. Access Control for Portable and Mobile Systems (AC-19)............................................... 86 13.1.15.1. Access Control for Portable and Mobile Systems Control Enhancements ...................... 89 13.1.15.1.1. Control Enhancement AC-19 (1) ................................................................................. 89 13.1.15.1.2. Control Enhancement AC-19 (2) ................................................................................. 89 13.1.15.1.3. Control Enhancement AC-19 (3) ................................................................................. 90 13.1.16. Use of External Information Systems (AC-20) ................................................................. 91 13.1.16.1. Use of External Information Systems Control Enhancements ........................................ 92 13.1.16.1.1. Control Enhancement AC-20 (1) ................................................................................. 92 13.1.16.1.2. Control Enhancement AC-20 (2) ................................................................................. 93 13.1.17. Publicly Accessible Content (AC-22)................................................................................ 9313.2. Awareness and Training (AT) ........................................................................................................... 95 13.2.1. Security Awareness and Training Policy and Procedures (AT-1) ..................................... 95 13.2.2. Security Awareness (AT-2)............................................................................................... 96 13.2.3. Security Training (AT-3) ................................................................................................... 97 13.2.4. Security Training Records (AT-4)...................................................................................... 9813.3. Audit and Accountability (AU)......................................................................................................... 99 13.3.1. Audit and Accountability Policy and Procedures (AU-1) ................................................. 99 13.3.2. Auditable Events (AU-2) ................................................................................................ 100 13.3.2.1. Control Enhancements for Auditable Events ................................................................ 102 13.3.2.1.1. Control Enhancement AU-2 (3) ................................................................................. 102 13.3.2.1.2. Control Enhancement AU-2 (4) ................................................................................. 103 13.3.3. Content of Audit Records (AU-3)................................................................................... 104 13.3.3.1. Control Enhancement for Content of Audit Records .................................................... 105 Company Sensitive and Proprietary Page 7
  8. 8. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.3.3.1.1. Control Enhancement AU-3 (1) ................................................................................. 105 13.3.4. Audit Storage Capacity (AU-4)....................................................................................... 106 13.3.5. Response to Audit Processing Failures (AU-5) .............................................................. 107 13.3.6. Audit Review, Analysis, and Reporting (AU-6)............................................................... 108 13.3.6.1. Control Enhancements for Audit Review, Analysis, and Reporting ............................... 109 13.3.6.1.1. Control Enhancement AU-6 (1) ................................................................................. 109 13.3.6.1.2. Control Enhancement AU-6 (3) ................................................................................. 110 13.3.7. Audit Reduction and Report Generation (AU-7) ........................................................... 111 13.3.7.1. Control Enhancement for Audit Reduction and Report Generation ............................. 111 13.3.7.1.1. Control Enhancement AU-7 (1) ................................................................................. 111 13.3.8. Time Stamps (AU-8) ...................................................................................................... 112 13.3.8.1. Control Enhancement for Time Stamps ........................................................................ 113 13.3.8.1.1. Control Enhancement AU-8 (1) ................................................................................. 113 13.3.9. Protection of Audit Information (AU-9) ........................................................................ 115 13.3.9.1. Control Enhancement for Protection of Audit Information .......................................... 115 13.3.9.1.1. Control Enhancement AU-9 (2) ................................................................................. 116 13.3.10. Non-Repudiation (AU-10).............................................................................................. 116 13.3.10.1. Control Enhancement for Non-Repudiation ................................................................. 117 13.3.10.1.1. Control Enhancement AU-10 (5) ............................................................................... 117 13.3.11. Audit Record Retention (AU-11) ................................................................................... 118 13.3.12. Audit Generation (AU-12) ............................................................................................. 11913.4. Security Assessment and Authorization (CA) ................................................................................ 120 13.4.1. Certification, Authorization, Security Assessment Policies and Procedures (CA-1) ...... 120 13.4.2. Security Assessments (CA-2) ......................................................................................... 121 13.4.2.1. Control Enhancement for Security Assessments .......................................................... 123 13.4.2.1.1. Control Enhancement CA-2 (1) ................................................................................. 123 13.4.3. Information System Connections (CA-3) ....................................................................... 124 13.4.4. Plan of Action and Milestones (CA-5) ........................................................................... 125 13.4.5. Security Authorization (CA-6)........................................................................................ 126 13.4.6. Continuous Monitoring (CA-7) ...................................................................................... 128 13.4.6.1. Control Enhancement for Continuous Monitoring ....................................................... 129 13.4.6.1.1. Control Enhancement CA-7 (2) ................................................................................. 12913.5. Configuration Management (CM) ................................................................................................. 130 13.5.1. Configuration Management Policy and Procedures (CM-1) ......................................... 130 Company Sensitive and Proprietary Page 8
  9. 9. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.5.2. Baseline Configuration and System Component Inventory (CM-2) ............................ 131 13.5.2.1. Control Enhancements for Baseline Configuration and System Component Inventory132 13.5.2.1.1. Control Enhancement CM-2 (1) ................................................................................ 132 13.5.2.1.2. Control Enhancement CM-2 (3) ................................................................................ 133 13.5.2.1.3. Control Enhancement CM-2 (5) ................................................................................ 134 13.5.3. Configuration Change Control (CM-3)........................................................................... 135 13.5.3.1. Control Enhancement for Configuration Change Control ............................................. 137 13.5.3.1.1. Control Enhancement CM-3 (2) ................................................................................ 137 13.5.4. Monitoring Configuration Changes (CM-4) ................................................................... 138 13.5.5. Access Restrictions for Change (CM-5) ......................................................................... 139 13.5.5.1. Control Enhancements for Access Restrictions for Change .......................................... 140 13.5.5.1.1. Control Enhancement CM-5 (1) ................................................................................ 140 13.5.6. Configuration Settings (CM-6)....................................................................................... 141 13.5.6.1. Control Enhancements for Configuration Settings........................................................ 143 13.5.6.1.1. Control Enhancement CM-6 (1) ................................................................................ 143 13.5.6.1.2. Control Enhancement CM-6 (3) ................................................................................ 144 13.5.7. Least Functionality (CM-7) ............................................................................................ 145 13.5.7.1. Control Enhancements for Least Functionality ............................................................. 146 13.5.7.1.1. Control Enhancement CM-7 (1) ................................................................................ 146 13.5.8. Information System Component Inventory (CM-8) ...................................................... 147 13.5.8.1. Control Enhancements for Information System Component Inventory ....................... 148 13.5.8.1.1. Control Enhancement CM-8 (1) ................................................................................ 148 13.5.8.1.2. Control Enhancement CM-8 (3) ................................................................................ 149 13.5.8.1.3. Control Enhancement CM-8 (5) ................................................................................ 150 13.5.9. Configuration Management Plan (CM-9) ...................................................................... 15013.6. Contingency Planning (CP) ............................................................................................................ 151 13.6.1. Contingency Planning Policy and Procedures (CP-1) .................................................... 151 13.6.2. Contingency Plan (CP-2) ................................................................................................ 152 13.6.2.1. Control Enhancements for Contingency Plan ............................................................... 155 13.6.2.1.1. Control Enhancement CP-2 (1).................................................................................. 155 13.6.2.1.2. Control Enhancement CP-2 (2).................................................................................. 156 13.6.3. Contingency Training (CP-3) .......................................................................................... 156 13.6.4. Contingency Plan Testing and Exercises (CP-4) ............................................................. 157 13.6.4.1. Control Enhancements for Contingency Plan Testing and Exercises ............................. 158 Company Sensitive and Proprietary Page 9
  10. 10. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.6.4.1.1. Control Enhancement CP-4 (1).................................................................................. 158 13.6.5. Alternate Storage Site (CP-6)......................................................................................... 159 13.6.5.1. Control Enhancements for Alternate Storage Site ........................................................ 160 13.6.5.1.1. Control Enhancement CP-6 (1).................................................................................. 160 13.6.5.1.2. Control Enhancement CP-6 (3).................................................................................. 161 13.6.6. Alternate Processing Site (CP-7).................................................................................... 161 13.6.6.1. Control Enhancements for Alternate Processing Site ................................................... 163 13.6.6.1.1. Control Enhancement CP-7 (1).................................................................................. 163 13.6.6.1.2. Control Enhancement CP-7 (2).................................................................................. 163 13.6.6.1.3. Control Enhancement CP-7 (3).................................................................................. 164 13.6.6.1.4. Control Enhancement CP-7 (5).................................................................................. 165 13.6.7. Telecommunications Services (CP-8) ............................................................................ 165 13.6.7.1. Control Enhancements for Telecommunications Services ............................................ 166 13.6.7.1.1. Control Enhancement CP-8 (1).................................................................................. 166 13.6.7.1.2. Control Enhancement CP-8 (2).................................................................................. 167 13.6.8. Information System Backup (CP-9)................................................................................ 168 13.6.8.1. Control Enhancements for Information System Backup ............................................... 170 13.6.8.1.1. Control Enhancement CP-9 (1).................................................................................. 170 13.6.8.1.2. Control Enhancement CP-9 (3).................................................................................. 171 13.6.9. Information System Recovery and Reconstitution (CP-10) ........................................... 172 13.6.9.1. Control Enhancements for System Recovery and Reconstitution................................. 172 13.6.9.1.1. Control Enhancement CP-10 (2)................................................................................ 172 13.6.9.1.2. Control Enhancement CP-10 (3)................................................................................ 17313.7. Identification and Authentication (IA) .......................................................................................... 174 13.7.1. Identification and Authentication Policy and Procedures (IA-1) ................................... 174 13.7.2. User Identification and Authentication (IA-2) ............................................................... 175 13.7.2.1. Control Enhancements for User Identification and Authentication ............................. 176 13.7.2.1.1. Control Enhancement IA-2 (1) .................................................................................. 176 13.7.2.1.2. Control Enhancement IA-2 (2) .................................................................................. 177 13.7.2.1.3. Control Enhancement IA-2 (3) .................................................................................. 178 13.7.2.1.4. Control Enhancement IA-2 (8) .................................................................................. 178 13.7.3. Device Identification and Authentication (IA-3) ........................................................... 179 13.7.4. Identifier Management (IA-4) ....................................................................................... 180 13.7.4.1. Control Enhancement for Identifier Management ....................................................... 182 Company Sensitive and Proprietary Page 10
  11. 11. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.7.4.1.1. Control Enhancement IA-4 (4) .................................................................................. 182 13.7.5. Authenticator Management (IA-5)................................................................................ 183 13.7.5.1. Control Enhancements for Authenticator Management .............................................. 185 13.7.5.1.1. Control Enhancement IA-5 (1) .................................................................................. 185 13.7.5.1.2. Control Enhancement IA-5 (2) .................................................................................. 187 13.7.5.1.3. Control Enhancement IA-5 (3) .................................................................................. 188 13.7.5.1.4. Control Enhancement IA-5 (6) .................................................................................. 189 13.7.5.1.5. Control Enhancement IA-5 (7) .................................................................................. 190 13.7.6. Authenticator Feedback (IA-6) ...................................................................................... 190 13.7.7. Cryptographic Module Authentication (IA-7) ............................................................... 191 13.7.1. Identification and Authentication (Non-Organizational Users) (IA-8)........................... 19213.8. Incident Response (IR) .................................................................................................................. 193 13.8.1. Incident Response Policy and Procedures (IR-1) ........................................................... 193 13.8.2. Incident Response Training (IR-2).................................................................................. 194 13.8.3. Incident Response Testing and Exercises (IR-3)............................................................. 195 13.8.4. Incident Handling (IR-4) ................................................................................................ 196 13.8.4.1. Control Enhancement for Incident Handling ................................................................ 198 13.8.4.1.1. Control Enhancement IR-4 (1)................................................................................... 198 13.8.5. Incident Monitoring (IR-5)............................................................................................. 199 13.8.6. Incident Reporting (IR-6) ............................................................................................... 200 13.8.6.1. Control Enhancement for Incident Reporting ............................................................... 201 13.8.6.1.1. Control Enhancement IR-6 (1)................................................................................... 201 13.8.7. Incident Response Assistance (IR-7).............................................................................. 202 13.8.7.1. Control Enhancements for Incident Response Assistance ............................................ 202 13.8.7.1.1. Control Enhancement IR-7 (1)................................................................................... 202 13.8.7.1.2. Control Enhancement IR-7 (2)................................................................................... 203 13.8.8. Incident Response Plan (IR-8) ....................................................................................... 20413.9. Maintenance (MA) ........................................................................................................................ 206 13.9.1. System Maintenance Policy and Procedures (MA-1) .................................................... 206 13.9.2. Controlled Maintenance (MA-2) ................................................................................... 207 13.9.2.1. Control Enhancements for Controlled Maintenance .................................................... 209 13.9.2.1.1. Control Enhancement MA-2 (1) ................................................................................ 209 13.9.3. Maintenance Tools (MA-3) ............................................................................................ 210 13.9.3.1. Control Enhancements for Maintenance Tools ............................................................. 211 Company Sensitive and Proprietary Page 11
  12. 12. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.9.3.1.1. Control Enhancement MA-3 (1) ................................................................................ 211 13.9.3.1.2. Control Enhancement MA-3 (2) ................................................................................ 212 13.9.3.1.3. Control Enhancement MA-3 (3) ................................................................................ 212 13.9.4. Remote Maintenance (MA-4) ....................................................................................... 213 13.9.4.1. Control Enhancements for Remote Maintenance ........................................................ 214 13.9.4.1.1. Control Enhancement MA-4 (1) ................................................................................ 215 13.9.4.1.2. Control Enhancement MA-4 (2) ................................................................................ 215 13.9.5. Maintenance Personnel (MA-5) .................................................................................... 216 13.9.6. Timely Maintenance (MA-6) ......................................................................................... 21713.10. Media Protection (MP).................................................................................................................. 218 13.10.1. Media Protection Policy and Procedures (MP-1) .......................................................... 218 13.10.2. Media Access (MP-2)..................................................................................................... 219 13.10.2.1. Control Enhancements for Media Access ..................................................................... 221 13.10.2.1.1. Control Enhancement MP-2 (1) ................................................................................ 221 13.10.3. Media Labeling (MP-3) .................................................................................................. 222 13.10.4. Media Storage (MP-4) ................................................................................................... 223 13.10.4.1. Control Enhancements for Media Storage .................................................................... 225 13.10.4.1.1. Control Enhancement MP-4 (1) ................................................................................ 225 13.10.5. Media Transport (MP-5) ................................................................................................ 225 13.10.5.1. Control Enhancements for Media Transport................................................................. 227 13.10.5.1.1. Control Enhancement MP-5 (2) ................................................................................ 227 13.10.5.1.2. Control Enhancement MP-5 (4) ................................................................................ 227 13.10.6. Media Sanitization and Disposal (MP-6) ....................................................................... 228 13.10.6.1.1. Control Enhancement MP-6 (4) ................................................................................ 22913.11. Physical and Environmental Protection (PE) ................................................................................. 230 13.11.1. Physical and Environmental Protection Policy and Procedures (PE-1) ......................... 230 13.11.2. Physical Access Authorizations (PE-2) ........................................................................... 231 13.11.3. Physical Access Control (PE-3)....................................................................................... 232 13.11.4. Access Control for Transmission Medium (PE-4) .......................................................... 234 13.11.5. Access Control for Display Medium (PE-5) .................................................................... 235 13.11.6. Monitoring Physical Access (PE-6) ................................................................................ 236 13.11.6.1. Control Enhancements for Monitoring Physical Access ................................................ 237 13.11.6.1.1. Control Enhancement PE-6 (1) .................................................................................. 237 13.11.7. Visitor Control (PE-7)..................................................................................................... 238 Company Sensitive and Proprietary Page 12
  13. 13. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.11.7.1. Control Enhancements for Vistor Control ..................................................................... 238 13.11.7.1.1. Control Enhancement PE-7 (1) .................................................................................. 238 13.11.8. Access Records (PE-8) ................................................................................................... 239 13.11.9. Power Equipment and Power Cabling (PE-9) ................................................................ 240 13.11.10. Emergency Shutoff (PE-10) ........................................................................................... 241 13.11.11. Emergency Power (PE-11) ............................................................................................. 242 13.11.12. Emergency Lighting (PE-12) .......................................................................................... 243 13.11.13. Fire Protection (PE-13) .................................................................................................. 244 13.11.13.1. Control Enhancements for Fire Protection ................................................................... 245 13.11.13.1.1. Control Enhancement PE-13 (1) .......................................................................... 245 13.11.13.1.2. Control Enhancement PE-13 (2) .......................................................................... 245 13.11.13.1.3. Control Enhancement PE-13 (3) .......................................................................... 246 13.11.14. Temperature and Humidity Controls (PE-14) ................................................................ 247 13.11.15. Water Damage Protection (PE-15) ................................................................................ 248 13.11.16. Delivery and Removal (PE-16) ....................................................................................... 249 13.11.17. Alternate Work Site (PE-17) .......................................................................................... 249 13.11.18. Location of Information System Components (PE-18) .................................................. 25113.12. Planning (PL) ................................................................................................................................. 252 13.12.1. Security Planning Policy and Procedures (PL-1) ............................................................ 252 13.12.2. System Security Plan (PL-2) ........................................................................................... 253 13.12.3. Rules of Behavior (PL-4) ................................................................................................ 254 13.12.4. Privacy Impact Assessment (PL-5)................................................................................. 255 13.12.5. Security-Related Activity Planning (PL-6) ...................................................................... 25613.13. Personnel Security (PS) ................................................................................................................. 257 13.13.1. Personnel Security Policy and Procedures (PS-1) .......................................................... 257 13.13.2. Position Categorization (PS-2) ....................................................................................... 258 13.13.3. Personnel Screening (PS-3) ........................................................................................... 259 13.13.4. Personnel Termination (PS-4) ........................................................................................ 259 13.13.5. Personnel Transfer (PS-5) .............................................................................................. 261 13.13.6. Access Agreements (PS-6) ............................................................................................. 262 13.13.7. Third-Party Personnel Security (PS-7) ........................................................................... 263 13.13.8. Personnel Sanctions (PS-8)............................................................................................ 26413.14. Risk Assessment (RA) .................................................................................................................... 265 13.14.1. Risk Assessment Policy and Procedures (RA-1)............................................................. 265 Company Sensitive and Proprietary Page 13
  14. 14. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.14.2. Security Categorization (RA-2) ...................................................................................... 266 13.14.3. Risk Assessment (RA-3) ................................................................................................. 267 13.14.4. Vulnerability Scanning (RA-5) ........................................................................................ 269 13.14.4.1. Control Enhancements for Vulnerability Scanning ....................................................... 271 13.14.4.1.1. Control Enhancement RA-5 (1) ................................................................................. 271 13.14.4.1.2. Control Enhancement RA-5 (2) ................................................................................. 271 13.14.4.1.3. Control Enhancement RA-5 (3) ................................................................................. 272 13.14.4.1.4. Control Enhancement RA-5 (6) ................................................................................. 273 13.14.4.1.5. Control Enhancement RA-5 (9) ................................................................................. 27313.15. System and Services Acquisition (SA)............................................................................................ 274 13.15.1. System and Services Acquisition Policy and Procedures (SA-1) .................................... 274 13.15.2. Allocation of Resources (SA-2) ...................................................................................... 275 13.15.3. Life Cycle Support (SA-3) ............................................................................................... 276 13.15.4. Acquisitions (SA-4) ........................................................................................................ 277 13.15.4.1. Control Enhancements for Acquisitions ........................................................................ 279 13.15.4.1.1. Control Enhancement SA-4 (1).................................................................................. 279 13.15.4.1.2. Control Enhancement SA-4 (4).................................................................................. 279 13.15.4.1.3. Control Enhancment SA-4 (7).................................................................................... 280 13.15.5. Information System Documentation (SA-5) .................................................................. 281 13.15.5.1.1. Control Enhancement SA-5 (1).................................................................................. 282 13.15.5.1.2. Control Enhancement SA-5 (3).................................................................................. 283 13.15.6. Software Usage Restrictions (SA-6) ............................................................................... 284 13.15.7. User Installed Software (SA-7) ...................................................................................... 285 13.15.8. Security Engineering Principles (SA-8) .......................................................................... 286 13.15.9. External Information System Services (SA-9) ................................................................ 286 13.15.9.1.1. Control Enhancement SA-9 (1).................................................................................. 287 13.15.10. Developer Configuration Management (SA-10)............................................................ 289 13.15.11. Developer Security Testing (SA-11) ............................................................................... 291 13.15.11.1. Control Enhancements for Developer Security Testing................................................. 292 13.15.11.1.1. Control Enhancement SA-11 (1) .......................................................................... 292 13.15.12. Supply Chain Protection (SA-12) ................................................................................... 29313.16. System and Communications Protection (SC) ............................................................................... 294 13.16.1. System & Communications Protection Policy and Procedures (SC-1)........................... 294 13.16.2. Application Partitioning (SC-2) ...................................................................................... 295 Company Sensitive and Proprietary Page 14
  15. 15. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.16.3. Information In Shared Resources (SC-4) ....................................................................... 296 13.16.4. Denial of Service Protection (SC-5) ............................................................................... 297 13.16.5. Resource Priority (SC-6) ................................................................................................ 298 13.16.6. Boundary Protection (SC-7)........................................................................................... 298 13.16.6.1. Control Enhancements for Boundary Protection .......................................................... 299 13.16.6.1.1. Control Enhancement SC-7 (1) .................................................................................. 299 13.16.6.1.2. Control Enhancement SC-7 (2) .................................................................................. 301 13.16.6.1.3. Control Enhancement SC-7 (3) .................................................................................. 302 13.16.6.1.4. Control Enhancement SC-7 (4) .................................................................................. 302 13.16.6.1.5. Control Enhancement SC-7 (5) .................................................................................. 304 13.16.6.1.6. Control Enhancement SC-7 (7) .................................................................................. 305 13.16.6.1.7. Control Enhancement SC-7 (8) .................................................................................. 305 13.16.6.1.8. Control Enhancement SC-7 (12) ................................................................................ 306 13.16.6.1.9. Control Enhancement SC-7 (13) ................................................................................ 307 13.16.6.1.10. Control Enhancement SC-7 (18) .......................................................................... 308 13.16.7. Transmission Integrity (SC-8)......................................................................................... 309 13.16.7.1. Control Enhancement for Transmission Integrity ......................................................... 309 13.16.7.1.1. Control Enhancement SC-8 (1) .................................................................................. 309 13.16.8. Transmission Confidentiality (SC-9)............................................................................... 310 13.16.8.1. Control Enhancement for Transmission Confidentiality ............................................... 311 13.16.8.1.1. Control Enhancement SC-9 (1) .................................................................................. 311 13.16.9. Network Disconnect (SC-10) ......................................................................................... 312 13.16.10. Trusted Path (SC-11) ...................................................................................................... 313 13.16.11. Cryptographic Key Establishment & Management (SC-12) ........................................... 314 13.16.11.1. Control Enhancements for Cryptographic Key Establishment & Management ............ 315 13.16.11.1.1. Control Enhancement SC-12 (2) .......................................................................... 315 13.16.11.1.2. Control Enhancement SC-12 (5) .......................................................................... 315 13.16.12. Use of Cryptography (SC-13) ......................................................................................... 316 13.16.12.1. Control Enhancement for Use of Cryptography ............................................................ 317 13.16.12.1.1. Control Enhancement SC-13 (1) .......................................................................... 317 13.16.13. Public Access Protections (SC-14) ................................................................................. 318 13.16.14. Collaborative Computing (SC-15) .................................................................................. 318 13.16.15. Public Key Infrastructure Certificates (SC-17) ............................................................... 320 13.16.16. Mobile Code (SC-18) ..................................................................................................... 321 Company Sensitive and Proprietary Page 15
  16. 16. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.16.17. Voice Over Internet Protocol (SC-19) ............................................................................ 322 13.16.18. Secure Name-Address Resolution Service (Authoritative Source) (SC-20) ................... 323 13.16.18.1. Control Enhancement for Secure Name-Address Resolution Service........................... 324 13.16.18.1.1. Control Enhancement SC-20 (1) .......................................................................... 324 13.16.19. Secure Name-Address Resolution Service (Recursive or Caching Resolver) (SC-21) .... 325 13.16.20. Architecture and Provisioning for Name-Address Resolution Service (SC-22) ............. 325 13.16.21. Session Authenticity (SC-23) ......................................................................................... 326 13.16.22. Protection of Information At Rest (SC-28)..................................................................... 327 13.16.23. Virtualization Techniques (SC-30) ................................................................................. 328 13.16.24. Information System Partitioning (SC-32)....................................................................... 32813.17. System and Information Integrity (SI) ........................................................................................... 329 13.17.1. System & Information Integrity Policy & Procedures (SI-1) .......................................... 329 13.17.2. Flaw Remediation (SI-2) ................................................................................................ 330 13.17.2.1. Control Enhancement for Flaw Remediation ................................................................ 331 13.17.2.1.1. Control Enhancement SI-2 (2) ................................................................................... 331 13.17.3. Malicious Code Protection (SI-3)................................................................................... 332 13.17.3.1. Control Enhancements for Malicious Code Protection ................................................. 334 13.17.3.1.1. Control Enhancement SI-3 (1) ................................................................................... 334 13.17.3.1.2. Control Enhancement SI-3 (2) ................................................................................... 335 13.17.3.1.3. Control Enhancement SI-3 (3) ................................................................................... 335 13.17.4. Information System Monitoring Tools & Techniques (SI-4)........................................... 336 13.17.4.1. Control Enhancements for Information System Monitoring Tools & Techniques ......... 338 13.17.4.1.1. Control Enhancement SI-4 (2) ................................................................................... 338 13.17.4.1.2. Control Enhancement SI-4 (4) ................................................................................... 338 13.17.4.1.3. Control Enhancement SI-4 (5) ................................................................................... 339 13.17.4.1.4. Control Enhancement SI-4 (6) ................................................................................... 340 13.17.5. Security Alerts & Advisories (SI-5)................................................................................. 341 13.17.6. Security Functionality Verification (SI-6) ....................................................................... 343 13.17.7. Software & Information Integrity (SI-7) ........................................................................ 343 13.17.7.1. Control Enhancement for Software & Information Integrity ........................................ 344 13.17.7.1.1. Control Enhancement SI-7 (1) ................................................................................... 344 13.17.8. Spam Protection (SI-8) .................................................................................................. 345 13.17.9. Information Input Restrictions (SI-9)............................................................................. 346 13.17.10. Information Input Accuracy, Completeness, Validity, and Authenticity (SI-10) ............ 347 Company Sensitive and Proprietary Page 16
  17. 17. <Information System Name> System Security PlanVersion <0.00> / <Date> 13.17.11. Error Handling (SI-11).................................................................................................... 348 13.17.12. Information Output Handling and Retention (SI-12) .................................................... 34914. SYSTEMS SECURITY PLAN ATTACHMENTS ..................................................................................... 35114.1. ATTACHMENT 1 - [Information Security Policies].......................................................................... 35114.2. ATTACHMENT 2 - [User Guide] ...................................................................................................... 35114.3. ATTACHMENT 3 - [e-Authentication Worksheet] .......................................................................... 35114.4. ATTACHMENT 4 - [PTA and/OR PIA] .............................................................................................. 35114.5. ATTACHMENT 5 - [Rules of Behavior]............................................................................................ 35114.6. ATTACHMENT 6 - [IT Contingency Plan] ........................................................................................ 35114.7. ATTACHMENT 7 - [Configuration Management Plan] ................................................................... 35114.8. ATTACHMENT 8 - [Incident Response Plan] .................................................................................. 35114.9. ATTACHMENT 9 - [CIS Workbook] ................................................................................................. 351 Company Sensitive and Proprietary Page 17
  18. 18. <Information System Name> System Security PlanVersion <0.00> / <Date> Acronym Definition 3PAO Third Party Assessment Organization ATO Authority To Operate CONOPS Concept Of Operations CSP Cloud Service Provider DHS Department of Homeland Security FedRAMP Federal Risk and Authorization Management Program FIPS Federal Information Processing Standard GSA General Services Administration ISSO Information System Security Officer JAB Joint Authorization Board NIST National Institute of Standards and Technology OMB Office of Management and Budget PII Personally Identifiable Information PMO Program Management Office POA&M Plan Of Action & Milestones SAP Security Assessment Plan SLA Service Level Agreement SOC Security Operations Center SSP System Security Plan US-CERT U.S. Computer Emergency Response Team List of TablesTable 1-1. Information System Name and Title ........................................................................................... 24Table 2-1. Security Categorization............................................................................................................... 24Table 2-2. Sensitivity Categorization of Information Types ......................................................................... 26Table 2-3. Security Impact Level ................................................................................................................. 26Table 2-4. Baseline Security Categorization ................................................................................................ 27Table 2-5. E-Authentication Questions ....................................................................................................... 27Table 2-6. E-Authentication Level Determination ....................................................................................... 27Table 3-1. Information System Owner ........................................................................................................ 28Table 5-1. Information System Management Point of Contact ................................................................... 28Table 5-2. Information System Technical Point of Contact.......................................................................... 29Table 6-1. Information System Security Officer (ISSO) or Equivalent.......................................................... 29Table 6-2. Information System Security Manager (ISSM) of Equivalent ..................................................... 29Table 7-1. System Status ............................................................................................................................. 30 Company Sensitive and Proprietary Page 18
  19. 19. <Information System Name> System Security PlanVersion <0.00> / <Date>Table 8-1. Service Layers Represented in this SSP ...................................................................................... 31Table 8-2. Leveraged Authorizations ........................................................................................................... 31Table 9-1. User Roles and Privileges............................................................................................................ 32Table 10-1. Server Hardware Components ................................................................................................. 34Table 10-2. Software Components .............................................................................................................. 34Table 10-3. Network Components .............................................................................................................. 35Table 10-4. Ports, Protocols, and Services .................................................................................................. 36Table 11-1. System Interconnections .......................................................................................................... 37Table 13-1. Summary of Required Security Controls .................................................................................. 41Table 13-2. Authorized Connections ......................................................................................................... 124 List of FiguresFigure 10-1. Network Diagram .................................................................................................................... 33Figure 10-2. Data Flow Diagram .................................................................................................................. 36 Company Sensitive and Proprietary Page 19
  20. 20. <Information System Name> System Security PlanVersion <0.00> / <Date>ABOUT THIS DOCUMENTThis document is released in template format. Once populated with content, this document willinclude detailed information about service provider information security controls. WHO SHOULD USE THIS DOCUMENT?This document is intended to be used by service providers who are applying for a ProvisionalAuthorization through the U.S. federal government FedRAMP program. U.S. federal agenciesmay want to use it to document information systems security plans that are not part of theFedRAMP program.Other uses of this template include using it to document organizational information securitycontrols for the purpose of creating a plan to manage a large information security infrastructure.Complex and sophisticated systems are difficult to manage without a documented understandingof how the infrastructure is architected. HOW THIS DOCUMENT IS ORGANIZEDThis document is divided into sixsections and includes<number> attachments. Most sectionsinclude subsections.Section 1identifies the system.Section 2describes the system categorization in accordance with FIPS 199.Section 3 identifies the system owner and provides contact information.Section 4 identifies the authorizing official.Section 5 identifies other designated contacts.Section 6 identifies the assignment of security responsibility.Section 7 identifies the operational status of the information system.Section 8 identifies the type of information system.Section 9 describes the function and purpose of the information system.Section 10 describes the information system environment.Section 11 identifies interconnections between other information systems.Section 12 describes laws and regulations related to operations of the information system. Company Sensitive and Proprietary Page 20
  21. 21. <Information System Name> System Security PlanVersion <0.00> / <Date>Section 13 provides an in-depth description of how each security control is implemented. CONVENTIONS USED IN THIS DOCUMENTThis document uses the following typographical conventions:ItalicItalics are used for email addresses, security control assignments parameters, and formaldocument names.Italic blue in a boxItalic blue text in a blue boxindicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template.BoldBold text indicates a parameter or an additional requirement.Constant widthConstant width text is used for text that is representative of characters that would show up on acomputer screen.<Brackets>Blue bold text in brackets indicates a user defined variable that should be replaced with a specificname. Once the text has been replaced, the brackets should be removed.Notes Notes are found between parallel lines and include additional information that may be helpfulto the users of this template. Note: This is a note.Sans SerifSans Serif text is used for tables, table captions, figure captions, and table of contents.Sans Serif GraySans Serif gray text is used for examples. HOW TO CONTACT USIf you have questions about FedRAMP, or if you have technical questions about this documentincluding how to use it, write to: Company Sensitive and Proprietary Page 21
  22. 22. <Information System Name> System Security PlanVersion <0.00> / <Date> info@fedramp.govFor more information about the FedRAMP project, please see the website at: http://www.fedramp.gov. Company Sensitive and Proprietary Page 22
  23. 23. <Information System Name> System Security PlanVersion <0.00> / <Date>SYSTEMS SECURITY PLAN APPROVALSx x<Name> <Date> <Name> <Date><Title> System Owner <Title>System OwnerCloud Service Provider Name Cloud Service Provider Namex x<Name> <Date> <Name> <Date><Title> System Owner FedRAMP Authorizing OfficialCloud Service Provider Name Company Sensitive and Proprietary Page 23
  24. 24. <Information System Name> System Security PlanVersion <0.00> / <Date>1. INFORMATION SYSTEM NAME/TITLEThis System Security Plan provides an overview of the security requirements for the<Information System Name>(<Information System Abbreviation>) and describes thecontrols in place or planned for implementation to provide a level of security appropriate for theinformation to be transmitted, processed or stored by the system. Information security is an assetvital to our critical infrastructure and its effective performance and protection is a key componentof our national security program. Proper management of information technology systems isessential to ensure the confidentiality, integrity and availability of thedata transmitted, processedor stored by the <Information System Name> information system.The security safeguards implemented for the <Information System Name>system meet thepolicy and control requirements set forth in this System Security Plan. All systems are subject tomonitoring consistent with applicable laws, regulations, agency policies, procedures andpractices. Table 1-1. Information System Name and Title UniqueIdentifier Information System Name Information System Abbreviation2. INFORMATION SYSTEM CATEGORIZATIONThe overall information system sensitivity categorization is noted in the table that follows. Table 2-1. Security Categorization Low Moderate High 2.1. INFORMATION TYPESThis section describes how the information types used by the information system are categorizedfor confidentiality, integrity, and availability sensitivity levels.The following tables identify the information types that are input, stored, processed, and/oroutput from <Information System Name>. The selection of the information types is based onguidance provided by OMB Federal Enterprise Architecture Program Management OfficeBusiness Reference Model 2.0, and FIPS Pub 199, Standards for Security Categorization ofFederal Information and Information Systems which is based on NIST SP 800-60, Guide forMapping Types of Information and Information Systems to Security Categories. Company Sensitive and Proprietary Page 24
  25. 25. <Information System Name> System Security PlanVersion <0.00> / <Date>The tables also identify the security impact levels for confidentiality, integrity, and availabilityfor each of the information types expressed as low, moderate, or high. The security impact levelsare based on the potential impact definitions for each of the security objectives (i.e.,confidentiality, integrity, and availability) discussed in NIST SP 800-60 and FIPS Pub 199.The potential impact is low if— - The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. - A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.The potential impact is moderate if— - The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. - A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.The potential impact is high if— - The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. - A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Company Sensitive and Proprietary Page 25
  26. 26. <Information System Name> System Security PlanVersion <0.00> / <Date> Instruction: Record your information types in the table that follow. Record the sensitivity level for Confidentiality, Integrity, and Availability as High, Moderate, or Low. Add more rows as needed to add more information types. Use NIST SP 800-60 Guide for Mapping Types of Information and Systems to Security Categories, Volumes I & II, Revision 1 for guidance. Note: The information types found in NIST SP 800-60, Volumes I and II Revision 1 are the same information types found in the Federal Enterprise Architecture (FEA) Consolidated Reference Model. Table 2-2. Sensitivity Categorization of Information Types Information Type Confidentiality Integrity Availability 2.2. SECURITY OBJECTIVES CATEGORIZATION (FIPS 199)Based on the information provided in Table 2-2, Information Types, for the <InformationSystem Name> default to the high-water mark for the noted Information Types as identified inthe table below. Table 2-3. Security Impact Level Security Objective Low, Moderate or High Confidentiality Integrity Availability Note: Please refer to FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems.Through review and analysis it has been determined that the baseline security categorization forthe <Information System Name> system is listed in the table that follows. Company Sensitive and Proprietary Page 26
  27. 27. <Information System Name> System Security PlanVersion <0.00> / <Date> Table 2-4. Baseline Security Categorization <Information System Name> Security Categorization Low, Moderate or HighUsing this categorization, in conjunction with the risk assessment and any unique securityrequirements, we have established the security controls for this system, as detailed in this SSP. 2.3. E-AUTHENTICATION DETERMINATION (E-AUTH)The information system e-Authentication Determination is described in the table that follows. Table 2-5. E-Authentication Questions Yes No E-Authentication Question Does the system require authentication via the Internet? Is data being transmitted over the Internet via browsers? Do users connect to the system from over the Internet?Instruction: Any information system that has a “No” response toany one of the three questionsdoes not need an E-Authentication risk analysis or assessment.For a system that has a "Yes"response to all of the questions, complete the E-Authentication Plan (a template is available). Note: Please refer to OMB Memo M-04-04 E-Authentication Guidance for Federal Agencies for more information on e-Authentication.The summary E-Authentication Level is recorded in the table that follows. Table 2-6. E-Authentication Level Determination E-Authentication Determination System Name System Owner Assurance Level Date Approved Company Sensitive and Proprietary Page 27
  28. 28. <Information System Name> System Security PlanVersion <0.00> / <Date>3. INFORMATION SYSTEM OWNERThe following individual is identified as the system owner or functional proponent/advocate forthis system. Table 3-1. Information System Owner Name Title Company / Organization Address Phone Number Email Address4. AUTHORIZING OFFICIALThe Authorizing Official (AO) or Designated Approving Authority (DAA) for this informationsystem is the Federal Risk Authorization Management Program (FedRAMP), Joint AuthorizationBoard (JAB) as comprised of member representatives from the General Services Administration(GSA), Department of Defense (DOD) and Department of Homeland Security (DHS).5. OTHER DESIGNATED CONTACTSThe following individual(s) identified below possess in-depth knowledge of this system and/orits functions and operation. Table 5-1. Information System Management Point of Contact Name Title Company / Organization Address Phone Number Company Sensitive and Proprietary Page 28
  29. 29. <Information System Name> System Security PlanVersion <0.00> / <Date> Email Address Table 5-2. Information System Technical Point of Contact Name Title Company / Organization Address Phone Number Email Address Instruction: Add more tables as needed.6. ASSIGNMENT OF SECURITY RESPONSIBILITYThe following individual(s) identified below have been appointed in writing and are deemed tohave significant cyber and operational role responsibilities (i.e. ISSO or ISSM or equivalent). Table 6-1. Information System Security Officer (ISSO) or Equivalent Name Title Company / Organization Address Phone Number Email Address Table 6-2. Information System Security Manager (ISSM) of Equivalent Name Title Company / Organization Company Sensitive and Proprietary Page 29
  30. 30. <Information System Name> System Security PlanVersion <0.00> / <Date> Address Phone Number Email Address Instruction: Add more tables as needed.7. INFORMATION SYSTEM OPERATIONAL STATUSThe system is currently in the life-cycle phase noted in the table that follows. Table 7-1. System Status System Status Operational The system is operating and in production. Under Development The system is being designed, developed, or implemented Major Modification The system is undergoing a major change, development, or transition. Other Explain:Instruction: If more than one status is selected, list which part of the system is covered undereach status.8. INFORMATION SYSTEM TYPEThe <Information System Name> makes use of unique managed service provider architecturelayer(s). 8.1. CLOUD SERVICE MODELInformation systems, particularly those based on cloud architecture models, are made up ofdifferent service layers.The layers of the <Information System Name> that are defined in thisSSP, and are not leveraged by any other Provisional Authorizations, are indicated in the table thatfollows. Instruction: Check all layers that apply. Company Sensitive and Proprietary Page 30
  31. 31. <Information System Name> System Security PlanVersion <0.00> / <Date> Table 8-1. Service Layers Represented in this SSP Service Provider Architecture Layers Software as a Service (SaaS) Major Application Platform as a Service (PaaS) Major Application Infrastructure as a Service (IaaS) General Support System Other Explain: Note: Please refer to NIST SP 800-145 for information on cloud computing architecture models. 8.2. LEVERAGED PROVISIONAL AUTHORIZATIONSInstruction: The FedRAMP program qualifies different service layers for ProvisionalAuthorizations. One, or multiple service layers, can be qualified in one System Security Plan.See the section on Use Cases in Guide to Understanding FedRAMP for more information.If a lower level layer has been granted a Provisional Authorization, and another higher levellayer represented by this SSP plans to leverage a lower layer’s Provisional Authorization, thisSystem Security Plan must clearly state that intention.If an information system does notleverage any pre-existing Provisional Authorizations, write “None” in the first column of thetable that follows. Add as many rows as necessary in the table that follows.The <Information System Name><plans to/does not plan to> leverage a pre-existingProvisional Authorization. Provisional Authorizations leveraged by this <Information SystemName> are noted in the table that follows. Table 8-2. Leveraged Authorizations Information System Name Service Provider Owner Date Granted9. GENERAL SYSTEM DESCRIPTIONThis section includes a general description of the <Information System Name>. Company Sensitive and Proprietary Page 31
  32. 32. <Information System Name> System Security PlanVersion <0.00> / <Date> 9.1. SYSTEM FUNCTION OR PURPOSEInstruction: In the space that follows, describe the purpose and functions of this system. 9.2. INFORMATION SYSTEM COMPONENTS AND BOUNDARIESInstruction: In the space that follows, describe the information system’s major components,inter-connections, and boundaries in sufficient detail that accurately depicts the authorizationboundary for the information system. Formal names of components as they are known at theservice provider organization in functional specs, configuration guides, other documents, andlive configurations should be named here and described. Please ensure that the discussion onboundaries is consistent with the network diagram shown in Section 3.11. Please see Guide toUnderstanding FedRAMP for more information. 9.3. TYPES OF USERSAll users have their employee status categorized with a sensitivity level in accordance with PS-2.Employees (or contractors) of service providers are considered Internal Users. All other users areconsidered External Users. User privileges (authorization permission after authentication takesplace) are described in the table that follows. Table 9-1. User Roles and Privileges Authorized Privileges and Role Internal or External Sensitivity Level Functions Performed Company Sensitive and Proprietary Page 32
  33. 33. <Information System Name> System Security PlanVersion <0.00> / <Date> Note: User roles typically align with Active Directory, LDAP, Role-based Access Controls (RBAC), NIS and UNIX groups, and/or UNIX netgroups.There are currently <number> of internal users and <number> of external users. Within oneyear, it is anticipated that there will be <number> of internal users and <number> of externalusers. 9.4. NETWORK ARCHITECTURE Instruction: Insert a network architectural diagram in the space that follows. Ensure that the following items are labeled on the diagram: hostnames, DNS servers, authentication and access control servers, directory servers, firewalls, routers, switches, database servers, major applications, Internet connectivity providers, telecom circuit numbers, and network numbers/VLANs.The following architectural diagram(s) provides a visual depiction of the major hardwarecomponents that constitute <Information System Name>. <insert diagram> Figure 10-1. Network Diagram10. SYSTEM ENVIRONMENT Instruction: In the space that follows, provide a general description of the technical system environment. Include information about all system environments that are used, e.g. production environment, test environment, staging or QA environments. 10.1.1. Hardware InventoryThe following table lists the principal server hardware components for <Information SystemName>. Instruction: Please include server hardware and any major storage components in this table. The first three rows are sample entries. If your service offering does not include hardware because you are leveraging all hardware from a pre-existing Provisional Authorization, write “None” in the first column.Add additional rows as needed. Company Sensitive and Proprietary Page 33
  34. 34. <Information System Name> System Security PlanVersion <0.00> / <Date> Table 10-1. Server Hardware Components Hostname Make Model and Location Components that Use this Firmware Device hostname1.com Company SilverEdge M710, Dallas, Rm. 6, Rack 4 AppOne, EAuthApp 4.6ios hostname2.com Company SilverEdge M610, Datacenter2, Rack 7 VMs 1-50 4.6ios Not Applicable Company iSCSI SAN Storage Bldg 4, Rm 7 SAN Storage Note: A complete and detailed list of the system hardware and software inventory is required per NIST SP 800-53, Rev 3 CM-2. 10.1.2. Software InventoryThe following table lists the principle software components for <Information System Name>. Instruction: Please include any middleware, databases, or secure file transfer applications in this table. The first three rows are sample entries. The first three rows are sample entries. Add additional rows as needed. Table 10-2. Software Components Hostname Function Version Patch Level Virtual (Yes / No) hostname1.com Physical Host for Virtual XYZi.4.x vSphere Update 1 No Infrastructure Company Sensitive and Proprietary Page 34
  35. 35. <Information System Name> System Security PlanVersion <0.00> / <Date> Hostname Function Version Patch Level Virtual (Yes / No) hostname2.com Virtual Machine Application Server Windows 2003 Server SP2 Yes hostname3.com Virtual Database SQL Server 6.4.22 build 7 SP1 Yes 10.1.3. Network InventoryThe following table lists the principle network devices and components for <InformationSystem Name>. Instruction: Please include any switches, routers, hubs, and firewalls that play a role in protecting the information system, or that enable the network to function properly. The first three rows are sample entries. If all network devices and components are leveraged from a pre- existing Provisional Authorization, write “Leveraged” in the first column. Add additional rows as needed. Table 10-3. Network Components Hostname Make Model IP Address Function router-dallas RouterCo 2800 192.168.0.1 router switch-1 SwitchCo EZSX55W 10.5.3.1 switch fw.yourcompany.com FirewallCo 21400, R71.x 192.168.0.2 firewall Company Sensitive and Proprietary Page 35
  36. 36. 10.1.4. Data Flow Instruction: In the space that follows, describe the flow of data in and out of system boundaries and insert a data flow diagram. See Guide to Understanding FedRAMP for a dataflow example. <insert diagram> Figure 10-2. Data Flow Diagram 10.1.5. Ports, Protocols and ServicesThe table below lists the Ports, Protocols, and Services enabled in this information system.TCP ports are indicated with a T and UDPports are indicated with a U. Instruction: In the column labeled “Used By” please indicate the components of the information system that make use of the ports, protocols, and services. In the column labeled “Purpose” indicate the purpose for the service (e.g. system logging, HTTP redirector, load balancing). This table should be consistent with CM-6 and CM-7. You must fill out this table, even if you are leveraging a pre-existing Provisional Authorization. Add more rows as needed. Table 10-4. Ports, Protocols, and Services Ports (T or U) Protocols Services Purpose Used By Company Sensitive and Proprietary Page 36
  37. 37. <Information System Name> System Security PlanVersion <0.00> / <Date> Ports (T or U) Protocols Services Purpose Used By11. SYSTEM INTERCONNECTIONSInstruction: List all interconnected systems. Provide the IP address and interface identifier (ie0, ie1, ie2) for the CSP system thatprovides the connection. Name the external organization and the IP address of the external system. Indicate how the connection isbeing secured. For Connection Security indicate how the connection is being secured. For Data Direction, indicate which directionthe packets are flowing. For Information Being Transmitted, describe what type of data is being transmitted. If a dedicated telecomline is used, indicate the circuit number. Add additional rows as needed. This table should be consistent with CA-3. Table 11-1. System Interconnections External Connection Security Data Organization External Point of (IPSec VPN, SSL, Direction(incomi CSP IP Address Name, IP Contact and Certificates, Secure ng, outgoing, or Information Being Transmitted Ports or Circuit # and Interface Address of Phone Number File Transfer etc.) both) System Company Sensitive and Proprietary Page 37

×