Common security controls for common hardware, software, and firmware all have development, implementation, and assessment controls that can be assigned to responsible agency officials or organizational elements. The results from the assessment can be used to support the security certification and accreditation process of agency information systems where those controls have been applied. I thought it was interesting how these properties are used for hardware, software, firmware.
Hey Asha! In my experience, having common security controls for homogeneous information resources also allows organizations to achieve standardization and ease the process of control implementation. For instance, all operating systems may be a certain version to be allowed to be in use. That way most of the vulnerabilities in the older versions are already addressed and the security team doesn’t need to spend efforts on designing and implementing compensating controls for the legacy operating systems.
Thanks for explaining this further. I agree with you that a common standardization does increase ease amongst an organization. I think this a a great concept that can be used in many different situations!
Planning for system security aims to better secure the resources of information systems. All federal systems are sensitive to some extent, and as part of sound management practice, they must be protected. A system security plan must include a description of how a system will be protected. A top management official must give permission for a system to process information or function in order for the plans to accurately reflect the protection of the resources. This approval offers an essential quality control. The manager recognizes the risk involved in processing in a system by giving the go-ahead. An evaluation of management, operational, and technical controls should serve as the foundation for management permission. The assessment report, the plans of action and milestones (POA&Ms), and the system security strategy should serve as the foundation for the authorization because they both establish and document the security controls. Future authorizations should also benefit from a regular evaluation of controls. Prior to a material change in the procedure, but at least every three years, reauthorization is required.
System security planning is an important part of the system development life cycle. An information system owner is responsible for the overall development of the security plan with inputs from the information owner, system administrator and information security officer. Each information system is categorized using the FIPS-199 standard and the systems are logically grouped into major applications or general support systems. Baseline security controls are selected from NIST SP 800-53 and applied to information systems on the basis of their security categorization level.
Security plans should document which controls are selected and justifications for using compensating controls. The final plan must be approved by senior management and the date of approval is recorded. System plans need to be reviewed at least annually or every time there is a change to the functionality, architecture, interconnection, authorizing official, information system owner, etc.
Hey Nishant! Your point spot on! SSP is definitely an integral part of SDLC. Typically, the CIO is in charge of creating and managing an information security program for the entire organization. In addition, program managers, system owners, security staff, and anybody else with access to the system must be aware of the procedure for system security planning.
Security planning should remain as a continuous lifecycle process. With time the business changes and the security aspects changes. It is important to periodically assess the security plan. It is recommended that the plan is reviewed in case of any change in system status, functionality, design and at-least yearly otherwise. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. Moreover, the security plan must be authorized by the senior management.
You raised a good point there about periodical reviews of the security plan. Considering that we are now living in a data driven world whereby technology is continuously involving, it is important to reassess your security plan to make sure if its still serving the purpose or changes must be made.
key point from your review is it is important for companies to periodically assess the security plan so in case their are changes in funtionality or status within the year they can be updated
To develop a system security plan, the information system and the data within it must first be classified using a FIPS 199 impact analysis. Then, the systems can be grouped into Ground Support Systems (GSSs) or Major Applications (MAs) based on this classification. The FIPS 199 impact level must be taken into account when determining the boundaries of the system and selecting the initial set of security controls. These controls can then be modified based on risk assessment, organization-specific security requirements, threat information, cost-benefit analysis, the availability of compensating controls, or other special considerations. Common security controls, which are controls that apply at the agency level and not specific to a system, must be identified before preparing the system security plan and included by reference. The process of assigning information resources to a specific information system defines the security boundary for that system. Agencies have flexibility in determining what constitutes an information system. If a set of resources is identified as an information system, they should generally be under the same direct management control. Direct management control does not mean there is no intermediary management. An information system can also contain multiple subsystems, which are major components of the information system that perform specific functions.
System security plan approval
Organizational policies should specify who is in charge of approving system security plans and the processes created for plan submission, as well as any unique memorandum language or other documents that may be required by the agency. The strategy is normally approved by the authorizing official, who is separate from the system owner, before the security certification and accreditation procedure.
I agree you Frank, The authorizing official as you mentioned is a senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operation or agency assets. The authorizing official has the following responsibilities related to system security plans:
• Approves system security plans,
• Authorizes operation of an information system,
• Issues an interim authorization to operate the information system under specific
terms and conditions.
• Denies authorization to operate the information system (or if the system is already
operational, halts operations) if unacceptable security risks exist.
Hi Frank ,
I concur that the company needs to put in place clear policies and procedures for approving system security plans. Before moving on to the certification and accreditation procedure, the security plan must be properly evaluated and authorized by a designated approving official who is distinct from the system owner. It is easier to make sure that the security strategy complies with all relevant agency standards when there are clear requirements, such as memorandum wording or extra documentation.
I thought Table 2-1 Ongoing monitoring Activities was a useful tool to see the types of actives laid out in a visual. I’m familiar with most as they are incorporated into ITGC’s; however, seeing the applicable supporting processes and information helped me gain more of an understanding for each of the monitoring activities. In my own experience several of the activities fall within the change management process.
Ongoing monitoring activities are an essential part of an effective system security program. By regularly collecting and analyzing data about the security state of the target, ongoing monitoring can help identify potential security threats and provide early warning of any changes that may indicate a security incident.
Chapter 8 Security Planning of NIST 800 100 educates us about the purpose of the system security plan which is very critical to every organization. It provides an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. As indicated by NIST all information systems must be covered by a system security plan and labeled as a major application (MA) or general support system (GSS). System security plans are documents that require periodic review, modification, and plans of action and milestones (POA&M) for implementing security controls. It is critical to the organization, because it points out who is responsible of doing what and when which then puts the organization in a perfect position for accountability purposes.
HI Shepherd,
Great point and I also agree that having a system security plan is crucial for any organization as it outlines the security needs of the system and the controls implemented or in development to meet those needs. All information systems must have a system security plan, as it assigns accountability through clear definition of roles and timelines. The system security plan is a dynamic document, requiring regular review, modification, and a plan of action and milestones to maintain its effectiveness.
NIST 800-100 is a system security plan guideline. It is used in the security certification and accreditation process by providing an overview of the system’s security requirements and safeguards.
The SSP defines security controls in accordance with NIST 800-53, FIPS 199, and FIPS 200. Defines the roles and responsibilities of the individuals involved:
– The chief information officer (CIO)
– Information System Owner
– Information System Security Officer
– Senior Agency Information Security Officer
The plan is reviewed and updated on a regular basis, as are the plans of action and milestones (POA&M) for implementing security controls.
It is important that the program managers, system owners and security personnel understand the the planning process. These documents are there to keep a plan in place if something were to go wrong and it should be updated and reviewed from time to time. There should be clear idea of who is also going to be in charge to execute these plans There should areas where we should also be able to determine how bad the impact is, if it is low, medium or high.
Yes, all project staff should know who is responsible for which part. It is important to separate responsibilities between different positions. When each job responsibility is clearly defined, it’s easier to focus on what they should do.
The system security plan is a document that outlines the security measures and controls in place to protect a system from unauthorized access, use, disclosure, disruption, modification, or destruction. It also outlines the roles and responsibilities of individuals who have access to the system, including their expected behavior and compliance with security policies and procedures. This may include designating a security administrator who is responsible for implementing and maintaining the security controls and procedures outlined in the plan and ensuring that all users comply with the system’s security policies and procedures. Users of the system are also responsible for protecting the system and its information, such as not sharing passwords and reporting any suspicious activity or security breaches.
Hi Mengqi,
i agree with you that users of the system are also responsible for protecting the system and its information. That is why the rules of behavior was implemented as a consequence of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for system access. This will help enforce accountability and responsibility.
Chapter 8 of the NIST 800 100 Information Security Manual emphasizes the importance of security planning for protecting information and information systems. For system boundary analysis and security control, the information system and the information residing in the system must be classified according to FIPS 199 impact analysis before a system security plan can be developed. In the system security Plan, the responsibilities and expected behaviors of the different roles are described. For example, the CIO is the agency officer responsible for developing and maintaining an agency-wide information security plan and has a number of responsibilities for system security planning. Project managers, system owners, security personnel, and anyone else with access to the system need to be aware of the system security planning process.
Wei! Thanks for sharing. I like the example discussing the role of the CIO. During security categorizations, the CIO has critical roles in identifying information types as well as assigning system security categories.
The system security plan’s goal is to give a summary of the security requirements for the system and explain the measures that are already in place or are planned to meet those criteria. Additionally, the system security plan outlines roles.
Security Planning roles and responsibilities :
Chief information officer , Information system owner , Information owner , Senior agency information security officer , information system security officer .
Security Control Selection :
The process of selecting appropriate security controls and assurance requirements for a federal agency’s information systems involves several steps to achieve adequate security, as outlined by FIPS 199 and NIST SP 800-53. The first step is security categorization, which involves risk management. After categorization, the agency must choose a set of security controls from one of the three baselines in NIST SP 800-53 that align with the impact level of the information systems as determined in the categorization process. The selected controls must meet the minimum security requirements set forth in FIPS 200.
They categorize as low-impact , moderate-impact , high-impact
A key takeaway from the reading was that there are three categories of Information systems. These three categories are Major Application, General Support System, and Minor Applications. Both Major Applications and General Support Systems require a specific system security plan (SSP). However, per the reading “Specific system security plans for minor applications are not required because the security controls for those applications are typically provided by the GSS or MA in which they operate.” However, the reading does on to state that if a minor application is not connected to a MA or GSS that “the minor application should be briefly described in a GSS plan that either has a common physical location or is supported by the same organization.”
One key take away from Chapter 8 of the NIST 800 100 Information Security Manual is that objective of system security planning is to improve the protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. There are certain rules of behavior that state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for system access. This will help enforce accountability and responsibility.
The Information System Security Officer (ISSO) is the agency official assigned responsibility by the senior agency information security officer (SAISO), authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program. Responsibilities of the ISSO include but are not limited to :
a) Assisting the SAISO in identifying, implementing, and assessing the common security controls
b) Actively supporting the development and maintenance of the system security plan, including coordinating system changes with the information system owner and assessing the security impact of those changes.
NIST 800-100 Ch 8 dives into the planning needed for creating a security system. An overarching, living security plan is often something that gets overlooked or underutilized in an active security program. It is needed to get things started, but often put on the back burner once the program is running. This is a potential failure mode, A well oiled program will have a strong plan that is used to encompass all parts of the security apparatus and keep it working together to ensure efficient and effective security with defense in depth and broad view. When the security plan is no longer followed, it is easy to sections of security to be overlooked and holes to appear in defense in depth or wide and varied security tools and controls become narrowed and hyper-focused on the “most critical” or latest and greatest.
Common security controls for common hardware, software, and firmware all have development, implementation, and assessment controls that can be assigned to responsible agency officials or organizational elements. The results from the assessment can be used to support the security certification and accreditation process of agency information systems where those controls have been applied. I thought it was interesting how these properties are used for hardware, software, firmware.
Hey Asha! In my experience, having common security controls for homogeneous information resources also allows organizations to achieve standardization and ease the process of control implementation. For instance, all operating systems may be a certain version to be allowed to be in use. That way most of the vulnerabilities in the older versions are already addressed and the security team doesn’t need to spend efforts on designing and implementing compensating controls for the legacy operating systems.
Hey Nishant,
Thanks for explaining this further. I agree with you that a common standardization does increase ease amongst an organization. I think this a a great concept that can be used in many different situations!
Planning for system security aims to better secure the resources of information systems. All federal systems are sensitive to some extent, and as part of sound management practice, they must be protected. A system security plan must include a description of how a system will be protected. A top management official must give permission for a system to process information or function in order for the plans to accurately reflect the protection of the resources. This approval offers an essential quality control. The manager recognizes the risk involved in processing in a system by giving the go-ahead. An evaluation of management, operational, and technical controls should serve as the foundation for management permission. The assessment report, the plans of action and milestones (POA&Ms), and the system security strategy should serve as the foundation for the authorization because they both establish and document the security controls. Future authorizations should also benefit from a regular evaluation of controls. Prior to a material change in the procedure, but at least every three years, reauthorization is required.
System security planning is an important part of the system development life cycle. An information system owner is responsible for the overall development of the security plan with inputs from the information owner, system administrator and information security officer. Each information system is categorized using the FIPS-199 standard and the systems are logically grouped into major applications or general support systems. Baseline security controls are selected from NIST SP 800-53 and applied to information systems on the basis of their security categorization level.
Security plans should document which controls are selected and justifications for using compensating controls. The final plan must be approved by senior management and the date of approval is recorded. System plans need to be reviewed at least annually or every time there is a change to the functionality, architecture, interconnection, authorizing official, information system owner, etc.
Hey Nishant! Your point spot on! SSP is definitely an integral part of SDLC. Typically, the CIO is in charge of creating and managing an information security program for the entire organization. In addition, program managers, system owners, security staff, and anybody else with access to the system must be aware of the procedure for system security planning.
Security planning should remain as a continuous lifecycle process. With time the business changes and the security aspects changes. It is important to periodically assess the security plan. It is recommended that the plan is reviewed in case of any change in system status, functionality, design and at-least yearly otherwise. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. Moreover, the security plan must be authorized by the senior management.
Hello Mittal,
You raised a good point there about periodical reviews of the security plan. Considering that we are now living in a data driven world whereby technology is continuously involving, it is important to reassess your security plan to make sure if its still serving the purpose or changes must be made.
key point from your review is it is important for companies to periodically assess the security plan so in case their are changes in funtionality or status within the year they can be updated
To develop a system security plan, the information system and the data within it must first be classified using a FIPS 199 impact analysis. Then, the systems can be grouped into Ground Support Systems (GSSs) or Major Applications (MAs) based on this classification. The FIPS 199 impact level must be taken into account when determining the boundaries of the system and selecting the initial set of security controls. These controls can then be modified based on risk assessment, organization-specific security requirements, threat information, cost-benefit analysis, the availability of compensating controls, or other special considerations. Common security controls, which are controls that apply at the agency level and not specific to a system, must be identified before preparing the system security plan and included by reference. The process of assigning information resources to a specific information system defines the security boundary for that system. Agencies have flexibility in determining what constitutes an information system. If a set of resources is identified as an information system, they should generally be under the same direct management control. Direct management control does not mean there is no intermediary management. An information system can also contain multiple subsystems, which are major components of the information system that perform specific functions.
System security plan approval
Organizational policies should specify who is in charge of approving system security plans and the processes created for plan submission, as well as any unique memorandum language or other documents that may be required by the agency. The strategy is normally approved by the authorizing official, who is separate from the system owner, before the security certification and accreditation procedure.
I agree you Frank, The authorizing official as you mentioned is a senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operation or agency assets. The authorizing official has the following responsibilities related to system security plans:
• Approves system security plans,
• Authorizes operation of an information system,
• Issues an interim authorization to operate the information system under specific
terms and conditions.
• Denies authorization to operate the information system (or if the system is already
operational, halts operations) if unacceptable security risks exist.
Hi Frank ,
I concur that the company needs to put in place clear policies and procedures for approving system security plans. Before moving on to the certification and accreditation procedure, the security plan must be properly evaluated and authorized by a designated approving official who is distinct from the system owner. It is easier to make sure that the security strategy complies with all relevant agency standards when there are clear requirements, such as memorandum wording or extra documentation.
I thought Table 2-1 Ongoing monitoring Activities was a useful tool to see the types of actives laid out in a visual. I’m familiar with most as they are incorporated into ITGC’s; however, seeing the applicable supporting processes and information helped me gain more of an understanding for each of the monitoring activities. In my own experience several of the activities fall within the change management process.
Hi Jill,
Ongoing monitoring activities are an essential part of an effective system security program. By regularly collecting and analyzing data about the security state of the target, ongoing monitoring can help identify potential security threats and provide early warning of any changes that may indicate a security incident.
Chapter 8 Security Planning of NIST 800 100 educates us about the purpose of the system security plan which is very critical to every organization. It provides an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. As indicated by NIST all information systems must be covered by a system security plan and labeled as a major application (MA) or general support system (GSS). System security plans are documents that require periodic review, modification, and plans of action and milestones (POA&M) for implementing security controls. It is critical to the organization, because it points out who is responsible of doing what and when which then puts the organization in a perfect position for accountability purposes.
HI Shepherd,
Great point and I also agree that having a system security plan is crucial for any organization as it outlines the security needs of the system and the controls implemented or in development to meet those needs. All information systems must have a system security plan, as it assigns accountability through clear definition of roles and timelines. The system security plan is a dynamic document, requiring regular review, modification, and a plan of action and milestones to maintain its effectiveness.
Hi Shepherd,
i agree with you Security Planning of NIST 800 sets the rule of behavior for non-compliance with helps enforce accountability.
NIST 800-100 is a system security plan guideline. It is used in the security certification and accreditation process by providing an overview of the system’s security requirements and safeguards.
The SSP defines security controls in accordance with NIST 800-53, FIPS 199, and FIPS 200. Defines the roles and responsibilities of the individuals involved:
– The chief information officer (CIO)
– Information System Owner
– Information System Security Officer
– Senior Agency Information Security Officer
The plan is reviewed and updated on a regular basis, as are the plans of action and milestones (POA&M) for implementing security controls.
It is important that the program managers, system owners and security personnel understand the the planning process. These documents are there to keep a plan in place if something were to go wrong and it should be updated and reviewed from time to time. There should be clear idea of who is also going to be in charge to execute these plans There should areas where we should also be able to determine how bad the impact is, if it is low, medium or high.
Yes, all project staff should know who is responsible for which part. It is important to separate responsibilities between different positions. When each job responsibility is clearly defined, it’s easier to focus on what they should do.
The system security plan is a document that outlines the security measures and controls in place to protect a system from unauthorized access, use, disclosure, disruption, modification, or destruction. It also outlines the roles and responsibilities of individuals who have access to the system, including their expected behavior and compliance with security policies and procedures. This may include designating a security administrator who is responsible for implementing and maintaining the security controls and procedures outlined in the plan and ensuring that all users comply with the system’s security policies and procedures. Users of the system are also responsible for protecting the system and its information, such as not sharing passwords and reporting any suspicious activity or security breaches.
Hi Mengqi,
i agree with you that users of the system are also responsible for protecting the system and its information. That is why the rules of behavior was implemented as a consequence of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for system access. This will help enforce accountability and responsibility.
Chapter 8 of the NIST 800 100 Information Security Manual emphasizes the importance of security planning for protecting information and information systems. For system boundary analysis and security control, the information system and the information residing in the system must be classified according to FIPS 199 impact analysis before a system security plan can be developed. In the system security Plan, the responsibilities and expected behaviors of the different roles are described. For example, the CIO is the agency officer responsible for developing and maintaining an agency-wide information security plan and has a number of responsibilities for system security planning. Project managers, system owners, security personnel, and anyone else with access to the system need to be aware of the system security planning process.
Wei! Thanks for sharing. I like the example discussing the role of the CIO. During security categorizations, the CIO has critical roles in identifying information types as well as assigning system security categories.
The system security plan’s goal is to give a summary of the security requirements for the system and explain the measures that are already in place or are planned to meet those criteria. Additionally, the system security plan outlines roles.
Security Planning roles and responsibilities :
Chief information officer , Information system owner , Information owner , Senior agency information security officer , information system security officer .
Security Control Selection :
The process of selecting appropriate security controls and assurance requirements for a federal agency’s information systems involves several steps to achieve adequate security, as outlined by FIPS 199 and NIST SP 800-53. The first step is security categorization, which involves risk management. After categorization, the agency must choose a set of security controls from one of the three baselines in NIST SP 800-53 that align with the impact level of the information systems as determined in the categorization process. The selected controls must meet the minimum security requirements set forth in FIPS 200.
They categorize as low-impact , moderate-impact , high-impact
A key takeaway from the reading was that there are three categories of Information systems. These three categories are Major Application, General Support System, and Minor Applications. Both Major Applications and General Support Systems require a specific system security plan (SSP). However, per the reading “Specific system security plans for minor applications are not required because the security controls for those applications are typically provided by the GSS or MA in which they operate.” However, the reading does on to state that if a minor application is not connected to a MA or GSS that “the minor application should be briefly described in a GSS plan that either has a common physical location or is supported by the same organization.”
One key take away from Chapter 8 of the NIST 800 100 Information Security Manual is that objective of system security planning is to improve the protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. There are certain rules of behavior that state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for system access. This will help enforce accountability and responsibility.
The Information System Security Officer (ISSO) is the agency official assigned responsibility by the senior agency information security officer (SAISO), authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program. Responsibilities of the ISSO include but are not limited to :
a) Assisting the SAISO in identifying, implementing, and assessing the common security controls
b) Actively supporting the development and maintenance of the system security plan, including coordinating system changes with the information system owner and assessing the security impact of those changes.
NIST 800-100 Ch 8 dives into the planning needed for creating a security system. An overarching, living security plan is often something that gets overlooked or underutilized in an active security program. It is needed to get things started, but often put on the back burner once the program is running. This is a potential failure mode, A well oiled program will have a strong plan that is used to encompass all parts of the security apparatus and keep it working together to ensure efficient and effective security with defense in depth and broad view. When the security plan is no longer followed, it is easy to sections of security to be overlooked and holes to appear in defense in depth or wide and varied security tools and controls become narrowed and hyper-focused on the “most critical” or latest and greatest.