• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.001 ■ Spring 2023 ■ David Lanter
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Data Breach at Equifax
    • Participation
    • Team Project
  • Harvard Coursepack
  • Zoom Meeting

“FedRAMP System Security Plan (SSP) High Baseline Template”

January 18, 2023 by David Lanter 24 Comments

Post your thoughtful analysis about one key point you took from this assigned reading.

Filed Under: 02 - System Security Plan Tagged With:

Reader Interactions

Comments

  1. Chinenye Marylyn Akinola says

    January 19, 2023 at 11:37 pm

    The document provides a comprehensive template for entering all information regarding an organization’s information security plan. User enters the source of the control so that it is apparent who is responsible for implementing, managing, and monitoring the control. A section on laws and regulations is included with this plan. This guarantees that all controls adhere to pertinent local and national legislation. Access control, which ensures that unauthorized users cannot access the controls is another component of the plan. In summary, the plan framework offers each type of control needed for high value systems and this data must be updated at least yearly or whenever a significant modification to the system takes place.

    Log in to Reply
    • Nishant Shah says

      January 22, 2023 at 11:28 pm

      Hi Marylyn! You’re absolutely right about the template being comprehensive. I felt the same. It is very well designed to capture various aspects of information security and includes laws, regulations, privacy implications and an opportunity to document other procedures such as incident response and contingency plans. I think the template could be a great aid in selecting a service provider. At the same time, I think it can be modified for internal use and that will be a great reference for periodic risk assessments.

      Log in to Reply
  2. Sunam Rijal says

    January 20, 2023 at 1:10 pm

    This template basically describes the SSP provided by a Cloud Service Provide. This document outlines the information of security responsibilities of both vendor and client. The Document consists of a lot of information including the categorization of information system, information system owner, authorizing parties, system environment, minimum security controls and many more. Analyzing this template, cloud service provider is not solely responsible for the security of the system as it split amongst the provider and the cloud user. This document will clearly mention about who will be responsible for what task/operation.

    Log in to Reply
  3. Aayush Mittal says

    January 20, 2023 at 5:01 pm

    The template provides the detailed standards and security requirements for information systems. The security controls outlined in FedRAMP are based on NIST Special Publication 800-53. This is the baseline which is expected to be in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed or stored in the system. This template is intended to be used by service providers who are applying for a Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) or an Agency Authorization to Operate (ATO) through the Federal Risk and Authorization Management Program (FedRAMP). The template helps in categorizing the information and describes various information security control along with the responsibility to implement, manage and monitor the control.

    Log in to Reply
  4. Pranavi Yadalam Sekhar says

    January 20, 2023 at 8:27 pm

    The FedRAMP System Security Plan is a comprehensive and detailed template that assists organizations in creating a robust security plan for their clients. It covers a wide range of areas and includes important information such as the system owner’s information types, general system description, system environment and inventory. Additionally, it includes relevant laws, regulations, standards and guidance that must be adhered to. The template also includes minimum security controls, such as adaptable access control, awareness and training, and audit and accountability. These controls are essential for ensuring the security and integrity of the system. This document is a valuable reference for addressing potential security issues that may arise in the future. It is designed to provide a clear direction and guidance for organizations to ensure the security of their information systems. Overall, the FedRAMP System Security Plan is an essential tool for organizations to implement and maintain a secure information system.

    Log in to Reply
    • Chinenye Marylyn Akinola says

      January 23, 2023 at 2:02 am

      Good Point Pranavi! Additionally, it names the system owner and additional system subject matter experts (SME), technical details on the services, ports, and other components the system employs for its intended purposes as well as details on the controls for the various security domains.

      Log in to Reply
  5. Wei Zhang says

    January 21, 2023 at 10:21 am

    The FedRAMP System Security Program (SSP) is a government-wide approach to the security assessment, authorization, and monitoring of cloud service providers (CSPs). This article provides a very detailed template for entering all the information about an organization’s information security plan and the roles and responsibilities of the relevant security personnel. It also covers the most basic security controls an organization needs such as access control, awareness and training, auditing and accountability, etc. Protect the confidentiality, integrity, and availability of an organization’s information data based on legal requirements such as FIPS 199. A complete SSP helps those who want to investigate an organization’s network security situation to have a clear understanding of the organization’s security requirements and the controls in place to meet those requirements.

    Log in to Reply
  6. Shepherd Shenjere says

    January 21, 2023 at 4:16 pm

    This is a well thought created FedRAMP System Security Plan High Baseline Template. I view this as a very important template, because it is comprehensive and Cloud Service Providers (CSP) are able to describes all the security controls in use on the information system and their implementation. Also, it is highly credible since they referenced IT industrial frameworks how to performs certain processes. Some frameworks referenced are NIST, FIPS 199. Furthermore, for every field attribute that requires data to be entered, there is a brief description and definition for that field and what it entails which gives CSPs a better understanding.

    Log in to Reply
  7. Nishant Shah says

    January 21, 2023 at 8:11 pm

    What I inferred from the SSP template is that it captures details about the system that a cloud service provider is offering, the roles and permissions of the CSP’s internal users, categories of the data on the systems and their sensitivity levels, ports, protocols and services used in the system, interfaces with other systems, the information system owner, cloud service model, etc. A service consumer can evaluate the service provider’s information security solution design by referring to a filled out SSP template.

    FIPS 199 is used for categorizing the information type and based on the overall category baseline controls are applied from the NIST SP 800-53 control catalog. There is also a provision to document any legal or regulatory control requirements.

    For each of the baseline control the template provides a way for documenting the status of implementation, responsible parties and how the control is implemented. Lastly the template allows the service provider to also provide details about their contingency plans, configuration management and incident response procedures.

    Log in to Reply
    • Wei Zhang says

      January 23, 2023 at 11:03 pm

      Hi Nishant,
      You are right! This template demonstrates how to use FIPS and NIST guidelines to assess vendor security and allows government agencies to assess the risk profile of systems. It also provides enough detail about how each control is implemented to allow a third-party assessment organization to develop test methods for the control.

      Log in to Reply
  8. Frank Kofi Kpotivi says

    January 22, 2023 at 3:43 pm

    This FedRAMP System Security Plan High Baseline Template was thoughtfully prepared. Because it is comprehensive and Cloud Service Providers (CSP) can define all the security controls now in use on the information system and how they are implemented, I consider this to be a very essential template. This paper will make it obvious who is in charge of each task and activity.

    Log in to Reply
    • Sunam Rijal says

      January 23, 2023 at 9:46 am

      Hi Frank,
      Yes I agree with you. This baseline document also list the accountable person of each task and activity as the CSP is not solely responsible for complete system security.. The document also includes other information like point of contact, controls, operation status and many more.

      Log in to Reply
    • Shepherd Shenjere says

      January 24, 2023 at 7:38 pm

      Hi Frank,

      You raised a good point Frank. Being able to identify who is responsible for doing what is always good for accountability purposes.

      Log in to Reply
  9. Jill Brummer says

    January 22, 2023 at 5:46 pm

    The Fedramp system security plan high baseline template is a template that will guide the user through what fields need to be completed based on the answers to previous questions and different scenarios to create an adaptable system security plan. The plan includes responsibilities of the areas included in the plan, point of contact people, operation status, minimum controls and several other areas needed for a system security plan.

    Log in to Reply
    • Asha Kunchakarra says

      January 23, 2023 at 2:10 pm

      Hi Jill,

      I like how you mentioned some of the areas that are in the template. Is there a specific section that you think is more important than others?

      Log in to Reply
  10. Samuel Omotosho says

    January 22, 2023 at 6:26 pm

    FedRAMP SSP (System Security Plan) High Baseline template is a collection of various types of information system templates, such as information system type, general system description, system architecture, data flow, system interconnection, laws and regulations, and authorization scope, as well as all security controls and their implementation. It gives users very detailed requirements for keeping track of the control. The user can select the implementation status and control origination in the control summary information form. It also includes a template for what the solution is and how it is implemented. I’m surprised at how detailed the minimum security controls section is.

    Log in to Reply
  11. Nicholas Foster says

    January 22, 2023 at 8:13 pm

    One of the sections in the Template I found very helpful that was also mentioned throughout the reading was section 12. Laws, Regulations, Standards and Guidance. In the template it proceeded to provide fields where you could annotate what applicable laws/regulations applied to each information system. Directly below that was applicable standards/guidance for each information system. When working in critical infrastructure such as healthcare. Knowing what information systems are susceptible to correlating laws/regulations/standards/guidance is essential to governance, risk management and compliance.

    Log in to Reply
  12. Asha Kunchakarra says

    January 22, 2023 at 8:50 pm

    An interesting section of this is the cloud services section. I think it is important to determine information about what cloud services and provider they are using to understand the security controls that need to be implemented. The cloud can be extremely variable this sections will definitely help in mitigating risks.

    Log in to Reply
  13. Mengqi Xiong says

    January 22, 2023 at 9:53 pm

    The FedRAMP SSP High Baseline Template helps me understand what baseline security controls the CSP has implemented. Security categories for information systems are established based on standards set by NIST SP 800-53, i.e., confidentiality, integrity, and availability, to assess the potential impact on the organization if its information and information systems are compromised. high Baseline Template provides detailed standards and security requirements for information systems.

    Based on NIST guidelines, FedRAMP is authorized at three impact levels – low, medium, and high.
    Key Steps for FedRAMP Security Assessment and Authorization.
    Security Assessment: The security assessment process is based on FISMA standardized requirements, such as the use of NIST 800-53 controls to grant security authorizations.
    System Interconnections: Information systems are authorized to connect to other information systems through the use of interconnection security protocols and the interconnection security protocols are reviewed and updated.
    Continuing Monitoring, Testing, and Security Authorization: After authorization, ongoing evaluation and authorization activities must be completed to maintain security authorization.
    The FEDRAMP SSP High Baseline Template clearly describes how much work needs to be done at each step of the program and the allocation of human resources.

    Log in to Reply
  14. Abayomi Aiyedebinu says

    January 22, 2023 at 11:06 pm

    FedRAMP System Security Plan High Baseline Template provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services used by federal entities that store, process, and transmit federal information. 
    A Key point i noted is that FEDRAMP increases confidence in the security of cloud solutions through continuous monitoring and consistent use of best information security practices and procedures. This streamlined, regulated approach helps mitigate the risk of cyberattacks. 

    Log in to Reply
    • Nicholas Foster says

      January 23, 2023 at 10:07 pm

      Hi Abayomi,

      Well said, a SSP can help increase confidence. If completed accurately it can provide a deep dive into the many facets not previously discovered/considered without taking the time to complete the SSP. You mention helping to mitigate the risk of cyberattacks. What attacks do you think SSP’s help pinpoint specifically?

      Log in to Reply
    • Mengqi Xiong says

      January 23, 2023 at 10:09 pm

      Hi Abayomi,

      I agree with you. FedRAMP has a three-level security assessment, each one with a defined set of security controls (Low, Moderate, and High ). Cloud service providers using the FedRAMP System Security Plan (SSP) High Baseline Template can demonstrate that their products and services meet the same standards used by the federal government, which helps reduce the risk of cyber attacks by securing cloud services and complying with relevant regulations.

      Log in to Reply
  15. Shadrack Owusu says

    February 3, 2023 at 3:41 pm

    Intermittently, there needs to be a periodic assessment of the Security plan. The review must encompass relevant and correct information about the system. Some of the items to review are
    Change in information system owner
    Change in system status
    Additions/deletions of system interconnections
    Change in information security representative
    Change in system architecture
    Change in certification and accreditation status.
    Change in the system scope
    Change in authorizing official

    Log in to Reply
  16. Shadrack Owusu says

    February 3, 2023 at 3:43 pm

    A control Configured by the Customer is a situation where the customer needs to apply a configuration in order to meet the control requirement. Examples provided from the reading are entering an IP range specific to their organization configurable by the customer, user profiles, policy/audit configurations, and enabling/disabling key switches (e.g., enable/disable http* or https, etc.).

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (1)
  • 01 – Threat Environment (3)
  • 02 – System Security Plan (6)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (3)
  • 05 – Secure Networks (6)
Fox School of Business

Copyright © 2023 · Course News Pro on Genesis Framework · WordPress · Log in