The creation of a security plan begins with the categorization of the system by impact level using FIPS 199 standard. The categorization of the system will be a solid foundation to as the plan is being developed and is used in defining system boundaries. FIPS 200 is used to provide the minimum security requirements for federal information systems across various domains like access control, configuration management, incident response and more. An organization must meet the control requirements in the domains by selecting security controls identified in NIST SP 800-53. When developing a security plan, there is no need to reinvent the wheel. NIST provides standards and best practices on the format and what information needs to be included to develop a comprehensive and effective security plan.
FIPS 199 and FIPS 200 are mandatory security standards as required by FISMA. FIPS 199 establishes standards for categorizing information and information systems. The security categories refer to the CIA triad of Confidentiality, Integrity, and Availability. These security categories are given a ranking which is the potential impact of Low, Moderate, and High. FIPS 200 addresses the specification of seventeen minimum security requirements for federal information and information systems. It is a standard that helps federal agencies with risk management through levels of information security based on risk levels. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
Hi Priyanka,
Your view is a good summary of NIST’s SSP guidelines. I think the requirement of personnel responsibility in SSP is the most important, because it controls the improper behavior of personnel in the organization.
The FISMA(Federal Information Security Management Act) requires that all federal agencies develop, document, and implement an agency-wide information security program. This program is used to provide information security for all information and information systems that are used for business operations and agency assets.
This information system security plan should include a summary of all the security requirements and security controls that are in place to support these requirements. The system security plan documents require periodic review, recertification, modification, and plans of action to implement their supporting controls. The organization should also have procedures in place to determine who reviews the plan, updates the plan, and follows up on the established controls. The plan must also be accredited and certified. The certification agent must ensure that the program is in line with FIPS 199 security category: “the threat and vulnerability identification and initial risk determination are identified and documented in the system the security plan, risk assessment, or equivalent document”. The security plan is based on FIPS 199, FIPS 200, and the SP 800-53 document. It must consist of a risk assessment, ongoing monitoring, point of action and milestones and provide guidance for configuration management. It must also have a process to ensure completeness and accuracy.
FIPS 199 is the widely used standard to categorize all information and info systems collected or maintained. This helps an organization complete the first step in the risk assessment mentioned in NIST SP 800-100. This is the integral step as everything must be accounted for as well as it can be so that it can be accurately assessed and protected from attacks. In addition to FIPS 199, the NIST SP 800-53 and FIPS document is used to address the required minimum security controls for a given system. These documents work together with the overall goal to touch on as many things as possible to help mitigate any potential risks that the organization would come across. Once these are leveraged, agencies will develop policies that are in place to continually be reviewed, modified and provide plans of action, among other things for implanting security controls.
Hi, Austin. You bring a good point that categorizes all information and information systems collected or maintained to help the first step of the risk assessment. When we implement the risk assessment by using matric, we can test the inherent risk first, and we can also compare the risks which have a high or low impact. Based on the matric, we can create the controls from high to low. The higher impact, we should test more and put more control to reduce the risk.
FISMA, or the Federal Information Security Management Act, ensures that every federal agency has an information security program in place to assist and support the operations and assets of the agency. Along with this in place, FIPS 199 is used as an information inventory categorization tool. With FIPS 199, organizations have effective management and oversight of information security programs and reporting to the Office of Management and Budget on a consistent basis. Having these programs in place ensure that common risk mitigation and avoidance strategies are in place, as well as categorizing new risks as and when they occur to help keep an up-to-date database of risks for new organizations.
Hi Krish…..I agree with your point that FISMA directs federal agencies to have risk management processes for common risk mitigation and avoidance strategies. I think that a newer challenge that FISMA is unintentionally creating is now there is a easy, public database of risks and vulnerabilities that bad actors can farm for weaknesses in agency or organization’s protections. Sometimes vulnerabilities are published and agencies need time to respond. Bad actors are taking advantage of the time that it takes to mitigate a vulnerability by using the public database to exploit weaknesses. Interesting.
Great point about an organization needing time to respond to a vulnerability. From personal experience, I know that organizations take their time when it comes to security. And more often than not, the organization has a change process the must go through before the change is made. But is there anyway around this? Organizations also need to be aware the vulnerability exists in order to patch it. In the meantime, they could implement compensating controls before a permanent fix.
According to FISMA, the Federal Information Security Management Act, all Federal information systems must adopt a sound system security plan. The Federal Information Processing Standard (FIPS) 900 defines security categories for systems based on the potential impact of a breach that could jeopardize the confidentiality, integrity, and availability of said system. Categories of Low, Moderate, and High are assigned to systems. High being an extremely critical system that would result in massive failure should it become compromised. The Federal Information Processing Standard (FIPS) 200 provides minimum or basic security requirements for federal systems. Each federal agency must meet these basic security controls with the use of NIST Special Publication 800-53. NIST 800-53 outlines management, operational, and technical safeguards for a given information system.
You make a sound point on the criticality of High categories of the CIA triad. With FIPS and NIST 800-53, these basic controls could be enough to help initially deal with these high risks, but it shouldn’t be the be all end all, and other security strategies should be employed, such as security awareness training for employees.
It is critical in the development process of a Security Plan to understand all the documents that need to be considered. NIST SP 800-18r1 outlines the process of developing a security plan for federal information systems. It especially highlights the requirements in place by FISMA, the Security of Federal Automated Information Resources, and the OMB Circular A-130, Management of Federal Information Resources. It identifies key standards that go into the development of the security planning process. FIPS 199, FIPS 200 and SP 800-53 are the key security controls and minimum security requirements for federal information systems that should be considered. Supporting documents SP 800-30 and SP 800-37 provide risk management guidelines and obtaining certification and accreditation, if needed. FISMA and SP 800-18 work together to set the minimum requirements that a Security Plan must meet.
Part 3 of the SP 800-18r1 is a guideline of the series of steps that should be followed in the Security Plan Development process. It’s a guide that gives actionable items by role within the process.
Hi Marin,
I agree with you. NIST 800-18r1 covers a wide range of topics – FIPS 100 and 200, FISMA, and NIST SP 800-53. What I am most interested in is the logical development of the plan. After completing all the other steps, the last key step outlines how to develop, identify and collect information coherently to form a complete plan. If the plan is not made thoroughly and accurately, all other steps before it will become meaningless.
FIPS 200 provides the specifies the minimum security requirements for federal information and information systems. Federal agencies must meet the minimum security requirements of the FIPS 200 through the use of the security controls in NIST Special Publication 800-53.
FIPS 199 provides all federal agencies a standard rule to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to impact.
It is important to understand how those documents work together. They can be used in reference with each other which strengthens the information and results you come to. The ability to utilize these documents together can provide the difference between an okay Security system and a very strong system. As we’ve seen through readings and studies, you can never go too in depth.
FISMA assigns responsibilities to various agencies to ensure the data security of the federal government. The bill requires programmers and the head of each agency to perform annual reviews on the information security plan. The purpose is to control risks within an acceptable range in a low-cost, timely and effective manner. The risk management framework developed by NIST can be used as part of the organization’s risk management program, used in the system development life cycle to help ensure that appropriate security controls are applied to each information system, and that these control measures can be evaluated to determine the correctness and accuracy of their implementation. The extent to which it operates as expected, and generates expected results that meet system security requirements.
Hi, Junhan, I think you give a NIST a good explain, One thing that I’d like to mention is Federal agencies must meet the minimum security requirements of the FIPS 200 through the use of the security controls in NIST Special Publication 800-53.
One of the key takeaways from this reading was related to the responsibilities for the organizational leaders with regards to making sure the compliance and guidelines are implemented. To me, the most important roles fall are between the Chief Information Officer and information system owner. The CIO is responsible for assigning roles to others, such as the senior agency information security officer. They have to make sure the people who need to be included in the process are. Without the guidance of the CIO, the rest of the processes would fail.
The information system owner is “responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.” They make sure the system and process is running at optimal levels. They make sure the systems are configured correctly. They also make sure the system is updated and all vulnerabilities are properly mitigated. The information owner needs to follow the directives set by the CIO and make sure they are doing their role to keep the risk to a minimum.
The system security plan helps organizations to identify the security measures. According to the document, system security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. The FIPS 199 facilitates the organizations to determines the threat and vulnerability identification in the system security plan, and they can use FIPS 199 to develop remedy methods and update the security plan. In addition, the system security plan helps the organization to train its manager, user, and system administrators how to use the system securely, and it shows how the organization can efficiently respond in any security incident, such as who should respond to terminate the former employees’ access. Thus, the system security plan helps the organizations to reduce some unnecessary steps and mitigate the risks.
Federal information systems contain highly sensitive data and it is critical to protect this data for the safety of the country and the people. System security planning and documenting is necessary to improve the protection of the information system resources.The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The Federal Information Security Management Act (FISMA) requires all of the federal agencies to develop document and implement information security program to provide the information and support information systems that support the operations of the agency. All of the agencies are mandated to follow the FIPS 200 which states minimum security requirements proposed for the federal information systems. FIPS 199 and SP 800-53 are also the key security controls minimum security requirements for federal information systems that should be implemented. The final part of the document provided greater detail of the plan development process that can be used as a guide while drafting the system security plan.
According to FIPS199 System Categorization. There are three levels of impact:
Low – The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations,
Medium – The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations,
High – The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations,
The purpose of this document is to provide a standard for categorizing federal information and information systems according to an agency’s level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction.
A primary point I took away from NIST 800-18, the Guide for Developing Security Plans is that three important dimensions are required for a valid security plan for federal agencies. The first dimension is the roles and responsibilities around information systems security planning are formalized along with the behaviors that each role is expected to fill in the development of security plans. The second dimension is the analysis of the system and the security controls placing emphasis on the system boundary or scope of the system. This was particularly interesting to me because most organizations have integrations built between information systems with many different people that are assigned to work with various system modules and data. Scope of the security plan is important to determining the impact that information system has within an agency. When determining how to control the information system, first defining the boundaries of the system is important. The Guide provides specific guidance on scoping including technical considerations like whether the security capability exists within the system, segregation of duties between the system owner and the control management, use of public access information systems and infrastructure that directly supports the information system. The third and final dimension was the planning steps needed to complete the security plan. The specificity of the guidance was a point that I focused on with this reading.
The second dimension seems to be where all of the important things occur. The analysis of the system and security controls. As you mentioned a lot of this can be done with automation and integrations which can help analyze the system and the controls. At the organization I work, we create audit files based on CIS guidelines, which typically are aligned with NIST guidelines. Our application can take these audit files and make sure the systems are configured correctly and the security controls are put in place. The audit files are extremely important in the analysis dimension.
Hi Heather!
A very thorough post that captures the essence of the SSP. Thank you!
Hi John!
Great point! The second dimension has some very critical activities, However, I don’t necessarily think one dimension is more important than the other.. For example, without proper identification of roles and responsibilities, then a thorough examination of information systems in the second dimension is bound to have issues. Do you agree?
The objective of system security planning is to improve protection of information system resources.
FISMA required each federal agency to develop, document, and implement the plan.
FIPS 199 requires agencies to assess their information systems by the information’s confidentiality, integrity and availability. And classify each information and information system according to FIPS199, rating each system as low, moderate or high impact。
FIPS Publication 200 is a mandatory federal standard developed by NIST in response to FISMA. In order to comply with federal standards, the organization first determines the security category of its information system according to FIPS Publication 199.
The combination of FIPS 200 ensures that applicable security requirements and security controls apply to all federal information and information systems. The organizational assessment of risk verifies the initial security control options. It determines whether additional controls are needed to protect the organization’s operations, organizational assets, individuals, other organizations, or countries. The resulting set of security controls establishes a certain level of security due diligence for the organization.
I learned from this article the definition of system security plan (SSP) and its objectives. The purpose of the system security plan is to provide an overview of the system security requirements, and describe the controls that are in place or planned to meet these requirements. At the same time, the goal is to improve the protection of information resources. It also explains how to develop a security plan and points out which NIST documents should be used as references to help organizations create their security plans. The key point I draw from this standard is the necessity and importance of documenting all safety activities, functions, responsibilities and management authorization.
The system security plan requires organizations to classify their information assets and rank the risks associated with the CIA triad. We have learned about FIPS 199 and its use in this area, but now we know that classification can go further by identifying assets as major applications or general support systems. NIST SP 800-18r1 provides good information and methods for determining these systems based on L, M, and H ranking, and gives two examples of information assets. For example, the EFT system (main application) of an organization, its local area network (general support system), and general support system can also be used as the main application in any organization’s environment. This classification is proved to be another useful tool for the organization to ultimately create, implement and review its system security plan.
Anthony Wong says
The creation of a security plan begins with the categorization of the system by impact level using FIPS 199 standard. The categorization of the system will be a solid foundation to as the plan is being developed and is used in defining system boundaries. FIPS 200 is used to provide the minimum security requirements for federal information systems across various domains like access control, configuration management, incident response and more. An organization must meet the control requirements in the domains by selecting security controls identified in NIST SP 800-53. When developing a security plan, there is no need to reinvent the wheel. NIST provides standards and best practices on the format and what information needs to be included to develop a comprehensive and effective security plan.
Priyanka Ranu says
FIPS 199 and FIPS 200 are mandatory security standards as required by FISMA. FIPS 199 establishes standards for categorizing information and information systems. The security categories refer to the CIA triad of Confidentiality, Integrity, and Availability. These security categories are given a ranking which is the potential impact of Low, Moderate, and High. FIPS 200 addresses the specification of seventeen minimum security requirements for federal information and information systems. It is a standard that helps federal agencies with risk management through levels of information security based on risk levels. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
Wenyao Ma says
Hi Priyanka,
Your view is a good summary of NIST’s SSP guidelines. I think the requirement of personnel responsibility in SSP is the most important, because it controls the improper behavior of personnel in the organization.
Mei X Wang says
The FISMA(Federal Information Security Management Act) requires that all federal agencies develop, document, and implement an agency-wide information security program. This program is used to provide information security for all information and information systems that are used for business operations and agency assets.
This information system security plan should include a summary of all the security requirements and security controls that are in place to support these requirements. The system security plan documents require periodic review, recertification, modification, and plans of action to implement their supporting controls. The organization should also have procedures in place to determine who reviews the plan, updates the plan, and follows up on the established controls. The plan must also be accredited and certified. The certification agent must ensure that the program is in line with FIPS 199 security category: “the threat and vulnerability identification and initial risk determination are identified and documented in the system the security plan, risk assessment, or equivalent document”. The security plan is based on FIPS 199, FIPS 200, and the SP 800-53 document. It must consist of a risk assessment, ongoing monitoring, point of action and milestones and provide guidance for configuration management. It must also have a process to ensure completeness and accuracy.
Austin Mecca says
FIPS 199 is the widely used standard to categorize all information and info systems collected or maintained. This helps an organization complete the first step in the risk assessment mentioned in NIST SP 800-100. This is the integral step as everything must be accounted for as well as it can be so that it can be accurately assessed and protected from attacks. In addition to FIPS 199, the NIST SP 800-53 and FIPS document is used to address the required minimum security controls for a given system. These documents work together with the overall goal to touch on as many things as possible to help mitigate any potential risks that the organization would come across. Once these are leveraged, agencies will develop policies that are in place to continually be reviewed, modified and provide plans of action, among other things for implanting security controls.
Cami Chen says
Hi, Austin. You bring a good point that categorizes all information and information systems collected or maintained to help the first step of the risk assessment. When we implement the risk assessment by using matric, we can test the inherent risk first, and we can also compare the risks which have a high or low impact. Based on the matric, we can create the controls from high to low. The higher impact, we should test more and put more control to reduce the risk.
Krish Damany says
FISMA, or the Federal Information Security Management Act, ensures that every federal agency has an information security program in place to assist and support the operations and assets of the agency. Along with this in place, FIPS 199 is used as an information inventory categorization tool. With FIPS 199, organizations have effective management and oversight of information security programs and reporting to the Office of Management and Budget on a consistent basis. Having these programs in place ensure that common risk mitigation and avoidance strategies are in place, as well as categorizing new risks as and when they occur to help keep an up-to-date database of risks for new organizations.
Heather Ergler says
Hi Krish…..I agree with your point that FISMA directs federal agencies to have risk management processes for common risk mitigation and avoidance strategies. I think that a newer challenge that FISMA is unintentionally creating is now there is a easy, public database of risks and vulnerabilities that bad actors can farm for weaknesses in agency or organization’s protections. Sometimes vulnerabilities are published and agencies need time to respond. Bad actors are taking advantage of the time that it takes to mitigate a vulnerability by using the public database to exploit weaknesses. Interesting.
Anthony Wong says
Hi Heather & Krish,
Great point about an organization needing time to respond to a vulnerability. From personal experience, I know that organizations take their time when it comes to security. And more often than not, the organization has a change process the must go through before the change is made. But is there anyway around this? Organizations also need to be aware the vulnerability exists in order to patch it. In the meantime, they could implement compensating controls before a permanent fix.
Anthony Messina says
According to FISMA, the Federal Information Security Management Act, all Federal information systems must adopt a sound system security plan. The Federal Information Processing Standard (FIPS) 900 defines security categories for systems based on the potential impact of a breach that could jeopardize the confidentiality, integrity, and availability of said system. Categories of Low, Moderate, and High are assigned to systems. High being an extremely critical system that would result in massive failure should it become compromised. The Federal Information Processing Standard (FIPS) 200 provides minimum or basic security requirements for federal systems. Each federal agency must meet these basic security controls with the use of NIST Special Publication 800-53. NIST 800-53 outlines management, operational, and technical safeguards for a given information system.
Krish Damany says
Hi Anthony,
You make a sound point on the criticality of High categories of the CIA triad. With FIPS and NIST 800-53, these basic controls could be enough to help initially deal with these high risks, but it shouldn’t be the be all end all, and other security strategies should be employed, such as security awareness training for employees.
Vanessa Marin says
It is critical in the development process of a Security Plan to understand all the documents that need to be considered. NIST SP 800-18r1 outlines the process of developing a security plan for federal information systems. It especially highlights the requirements in place by FISMA, the Security of Federal Automated Information Resources, and the OMB Circular A-130, Management of Federal Information Resources. It identifies key standards that go into the development of the security planning process. FIPS 199, FIPS 200 and SP 800-53 are the key security controls and minimum security requirements for federal information systems that should be considered. Supporting documents SP 800-30 and SP 800-37 provide risk management guidelines and obtaining certification and accreditation, if needed. FISMA and SP 800-18 work together to set the minimum requirements that a Security Plan must meet.
Part 3 of the SP 800-18r1 is a guideline of the series of steps that should be followed in the Security Plan Development process. It’s a guide that gives actionable items by role within the process.
Haozhe Lin says
Hi Marin,
I agree with you. NIST 800-18r1 covers a wide range of topics – FIPS 100 and 200, FISMA, and NIST SP 800-53. What I am most interested in is the logical development of the plan. After completing all the other steps, the last key step outlines how to develop, identify and collect information coherently to form a complete plan. If the plan is not made thoroughly and accurately, all other steps before it will become meaningless.
Zhen Li says
FIPS 200 provides the specifies the minimum security requirements for federal information and information systems. Federal agencies must meet the minimum security requirements of the FIPS 200 through the use of the security controls in NIST Special Publication 800-53.
FIPS 199 provides all federal agencies a standard rule to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to impact.
Austin Mecca says
It is important to understand how those documents work together. They can be used in reference with each other which strengthens the information and results you come to. The ability to utilize these documents together can provide the difference between an okay Security system and a very strong system. As we’ve seen through readings and studies, you can never go too in depth.
Junhan Hao says
FISMA assigns responsibilities to various agencies to ensure the data security of the federal government. The bill requires programmers and the head of each agency to perform annual reviews on the information security plan. The purpose is to control risks within an acceptable range in a low-cost, timely and effective manner. The risk management framework developed by NIST can be used as part of the organization’s risk management program, used in the system development life cycle to help ensure that appropriate security controls are applied to each information system, and that these control measures can be evaluated to determine the correctness and accuracy of their implementation. The extent to which it operates as expected, and generates expected results that meet system security requirements.
Zhen Li says
Hi, Junhan, I think you give a NIST a good explain, One thing that I’d like to mention is Federal agencies must meet the minimum security requirements of the FIPS 200 through the use of the security controls in NIST Special Publication 800-53.
Jonathan Castelli says
One of the key takeaways from this reading was related to the responsibilities for the organizational leaders with regards to making sure the compliance and guidelines are implemented. To me, the most important roles fall are between the Chief Information Officer and information system owner. The CIO is responsible for assigning roles to others, such as the senior agency information security officer. They have to make sure the people who need to be included in the process are. Without the guidance of the CIO, the rest of the processes would fail.
The information system owner is “responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.” They make sure the system and process is running at optimal levels. They make sure the systems are configured correctly. They also make sure the system is updated and all vulnerabilities are properly mitigated. The information owner needs to follow the directives set by the CIO and make sure they are doing their role to keep the risk to a minimum.
Cami Chen says
The system security plan helps organizations to identify the security measures. According to the document, system security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. The FIPS 199 facilitates the organizations to determines the threat and vulnerability identification in the system security plan, and they can use FIPS 199 to develop remedy methods and update the security plan. In addition, the system security plan helps the organization to train its manager, user, and system administrators how to use the system securely, and it shows how the organization can efficiently respond in any security incident, such as who should respond to terminate the former employees’ access. Thus, the system security plan helps the organizations to reduce some unnecessary steps and mitigate the risks.
Prince Patel says
Federal information systems contain highly sensitive data and it is critical to protect this data for the safety of the country and the people. System security planning and documenting is necessary to improve the protection of the information system resources.The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The Federal Information Security Management Act (FISMA) requires all of the federal agencies to develop document and implement information security program to provide the information and support information systems that support the operations of the agency. All of the agencies are mandated to follow the FIPS 200 which states minimum security requirements proposed for the federal information systems. FIPS 199 and SP 800-53 are also the key security controls minimum security requirements for federal information systems that should be implemented. The final part of the document provided greater detail of the plan development process that can be used as a guide while drafting the system security plan.
Kyuande Johnson says
According to FIPS199 System Categorization. There are three levels of impact:
Low – The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations,
Medium – The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations,
High – The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations,
The purpose of this document is to provide a standard for categorizing federal information and information systems according to an agency’s level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction.
Heather Ergler says
A primary point I took away from NIST 800-18, the Guide for Developing Security Plans is that three important dimensions are required for a valid security plan for federal agencies. The first dimension is the roles and responsibilities around information systems security planning are formalized along with the behaviors that each role is expected to fill in the development of security plans. The second dimension is the analysis of the system and the security controls placing emphasis on the system boundary or scope of the system. This was particularly interesting to me because most organizations have integrations built between information systems with many different people that are assigned to work with various system modules and data. Scope of the security plan is important to determining the impact that information system has within an agency. When determining how to control the information system, first defining the boundaries of the system is important. The Guide provides specific guidance on scoping including technical considerations like whether the security capability exists within the system, segregation of duties between the system owner and the control management, use of public access information systems and infrastructure that directly supports the information system. The third and final dimension was the planning steps needed to complete the security plan. The specificity of the guidance was a point that I focused on with this reading.
Jonathan Castelli says
The second dimension seems to be where all of the important things occur. The analysis of the system and security controls. As you mentioned a lot of this can be done with automation and integrations which can help analyze the system and the controls. At the organization I work, we create audit files based on CIS guidelines, which typically are aligned with NIST guidelines. Our application can take these audit files and make sure the systems are configured correctly and the security controls are put in place. The audit files are extremely important in the analysis dimension.
Vanessa Marin says
Hi Heather!
A very thorough post that captures the essence of the SSP. Thank you!
Hi John!
Great point! The second dimension has some very critical activities, However, I don’t necessarily think one dimension is more important than the other.. For example, without proper identification of roles and responsibilities, then a thorough examination of information systems in the second dimension is bound to have issues. Do you agree?
Xinyi Zheng says
The objective of system security planning is to improve protection of information system resources.
FISMA required each federal agency to develop, document, and implement the plan.
FIPS 199 requires agencies to assess their information systems by the information’s confidentiality, integrity and availability. And classify each information and information system according to FIPS199, rating each system as low, moderate or high impact。
Zibai Yang says
FIPS Publication 200 is a mandatory federal standard developed by NIST in response to FISMA. In order to comply with federal standards, the organization first determines the security category of its information system according to FIPS Publication 199.
The combination of FIPS 200 ensures that applicable security requirements and security controls apply to all federal information and information systems. The organizational assessment of risk verifies the initial security control options. It determines whether additional controls are needed to protect the organization’s operations, organizational assets, individuals, other organizations, or countries. The resulting set of security controls establishes a certain level of security due diligence for the organization.
Wenyao Ma says
I learned from this article the definition of system security plan (SSP) and its objectives. The purpose of the system security plan is to provide an overview of the system security requirements, and describe the controls that are in place or planned to meet these requirements. At the same time, the goal is to improve the protection of information resources. It also explains how to develop a security plan and points out which NIST documents should be used as references to help organizations create their security plans. The key point I draw from this standard is the necessity and importance of documenting all safety activities, functions, responsibilities and management authorization.
Haozhe Lin says
The system security plan requires organizations to classify their information assets and rank the risks associated with the CIA triad. We have learned about FIPS 199 and its use in this area, but now we know that classification can go further by identifying assets as major applications or general support systems. NIST SP 800-18r1 provides good information and methods for determining these systems based on L, M, and H ranking, and gives two examples of information assets. For example, the EFT system (main application) of an organization, its local area network (general support system), and general support system can also be used as the main application in any organization’s environment. This classification is proved to be another useful tool for the organization to ultimately create, implement and review its system security plan.