August 02, 2019

How to build your System Security Plan

Gregory Morawietz

Gregory Morawietz
Founder/Single Point of Contact

Share This Post

In order to be compliant with NIST 800 and several other organizations, like DFARS , you are going to be asked for your System Security Plan.  The long and short of it is you are going to need to identify all the systems that have access to the CUI and then fill out a the System Security Plan for these systems. NIST provides a template for this document on their website.   All the questions in the SSP form are going to be related back to your controls, so you will need to have completed all your NIST controls in order to answer the questions asked on the plan template. You want to start out by identifying what the system is and who has responsibility over the system.  You will then need to know the name of the system and create a unique identifier for it, so that you can differentiate it from other systems in your organization.  You will want to identify your government point of contact in your organization that is responsible for accepting or receiving the CUI.  You want to know who owns the server or system in your organization.  You will need to identify the security officer for your corporation or the entity that is responsible for security for your organization.  You need to be able to fully describe what the system does and what the purpose of the system is.  You need to know who many end users have access to the system and how many of them are privileged and have access to the CUI.  Be able to describe what type and kind of CUI you are storing, processing or transmitting.  There is a category list here https://www.archives.gov/cui/registry/category-list that you can use to identify the type and category that the CUI fits in.  Part of your control system is that you have an accurate and updated network map and topology that clearly shows key devices and how they all interconnect.  Any other infrastructure pieces that touch the system like Active Directory, firewalls, switches need to be called out in your topology map.  You need to provide inventory for all of the equipment that make up the system. In the future when you do your POA&M you will need to call out all of the patches, security updates, upgrades and maintenance you perform on these machines so capture this inventory data and keep it separate for other activities you will need to do in the future. You will also want to have a complete list of software installed on your system.  When and who performs maintenance on your systems, must be called out. Then you are going to need to describe all of the NIST controls relevant to your system and if they have been implemented, planned or are not applicable.  

Share This Post