System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
24. Donald E. Hester
CISSP, CISA, CAP, MCT, MCSE Security, MCSA Security, MCDST, Security+, CTT+, MV
Maze & Associates / San Diego City College
Email: DonaldH@MazeAssociates.com
https://www.linkedin.com/in/donaldehester
Editor's Notes
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not.
The danger is the plan could be treated as ‘check box’ and not given proper place.
SAN FRANCISCO — A pair of security experts, one of them a former federal chief information security officer, gave a harsh critique Tuesday of the Federal Information Security Management Act as a well-intentioned but fundamentally flawed tool.
“A lot of your money is being thrown away,” Alan Paller, director of research for the SANS Institute, told an audience at the RSA IT security conference.
The 2002 act mandates security planning for agencies, requiring a risk analysis of IT systems, and certification and accreditation of those systems.
“FISMA wasn’t written badly, but the measuring system they are using is broken,” Paller said. “What we measure now is, ‘Do you have a plan?’ ” Not whether the plan actually improves security.
Too often, the plans do not improve security, said Bruce Brody, vice president of information assurance at CACI International Inc. and formerly with the Veterans Affairs and Energy departments
“Federal systems and networks are like Swiss cheese,” Brody said. “FISMA over five years has not helped us to be appreciably more secure.”
The speakers described the risk analysis and C&A processes as paperwork drills that let agencies comply with the letter of the law without doing anything to improve actual security. Even so, many agencies routinely receive failing grades in the annual FISMA report cards handed out by Congress, and government as a whole has not risen above D. Brody said he received four Fs and one C during his term in government.
Paller offered two broad fixes for the security challenge facing government. The first is to stop blaming the user for problems, and require that vendors ship well designed products that are securely configured by default. He also called for using “attack-based” metrics in measuring security compliance. These metrics include:
How quickly penetrations of the system are identified
The length of time it takes to deploy needed security patches
The number of accounts remaining active after employees or consultants have left an agency
Whether programming teams are including errors in code
How quickly malicious code can be found on a system.
Brody defined five things a CIO must know about his systems to ensure security:
The boundaries and topologies of the interconnected enterprise
The devices that are connected to the enterprise and the channels they use to connect to it
The configuration of these devices
Who is accessing these devices and whether that access is authorized
What these users are doing on the system.
“You can measure good security, but it’s not being measured today,” Brody said.
Brody and Paller were hopeful that changes in FISMA could be made in the new Congress.
Direct management control does not necessarily imply that there is no intervening management.
NIST SP 800-100 sec. 8.4.1
The tables also identify the security impact levels for confidentiality, integrity, and availability for each of the information types expressed as low, moderate, or high. The security impact levels are based on the potential impact definitions for each of the security objectives (i.e., confidentiality, integrity, and availability) discussed in NIST SP 800-60 and FIPS Pub 199.
High Water Mark
An agency has the flexibility to tailor the security control baseline in accordance with the terms and conditions set forth in the standard. Tailoring activities include (1) the application of scoping guidance, (2) the specification of compensating controls, and (3) the specification of agency-defined parameters in the security controls, where allowed. The system security plan should document all tailoring activities.
NIST SP 800-100 sec. 8.4.2
System security plans should clearly identify which security controls used scoping guidance and include a description of the type of considerations that were made.
NIST SP 800-100 sec. 8.4.3
The application of scoping guidance must be reviewed and approved by the authorizing official for the information system.
NIST SP 800-100 sec. 8.4.3
Once the information system security plan is accredited, it is important to periodically assess the plan; review any change in system status, functionality, design, etc.; and ensure that the plan continues to reflect the correct information about the system. This documentation and its accuracy are imperative for system recertification and reaccreditation activity. All plans should be reviewed and updated, if appropriate, at least annually. Some items to include in the review are:
Change in information system owner;
Change in information security representative;
Major change in system architecture;
Change in system status;
Additions/deletions of system interconnections;
Change in system scope; and
Change in authorizing official.
NIST SP 800-100 Sec. 8.7
Procedures should be in SOP or Rules of Behavior (external document)
It should be a summary
The plan should be brief and useable
Consider hyperlinks to external documents