>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.12.4Security Assessment - Basic

Basic Requirement

>Control Description

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.[28]

>Discussion

System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended.

Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition.

Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [SP 800-18] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans.

>Cross-Framework Mappings

CMMC

CA.L2-3.12.4
Compare

SCF

IAO-03
Compare
IAO-03.2
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern development and implementation of system security plans?
  • What procedures define SSP content and maintenance?
  • Who is responsible for creating and updating SSPs?
  • How often are system security plans reviewed and updated?
  • What governance ensures SSPs accurately reflect security posture?

Technical Implementation:

  • What tools or templates support SSP development?
  • How do you maintain SSP version control and approval?
  • What automated data feeds populate SSP content?
  • How do you link SSPs to security control implementations?
  • What systems manage and distribute SSPs to stakeholders?

Evidence & Documentation:

  • Can you provide current system security plans?
  • What documentation shows SSP approval and review dates?
  • Can you demonstrate SSP content meets requirements?
  • What evidence shows SSPs are kept current?
  • What audit findings verify SSP compliance?

Ask AI

Configure your API key to use AI features.