I found that the fedRAMP chose to differentiate between Security Awareness Training and Role-Based Security training interesting and important. Within an organization, leaders need to tailor training to each group. Some groups, such as IT, will need more comprehensive security awareness training, while other groups, such as more administrative roles, will not need as much training, or will need different training. A distinction is important, because a blanket cybersecurity policy that only provides the same training across the board has a high likelihood to fail.
The FedRAMP System Security Plan (SSP) High Baseline Template provides cloud service providers a comprehensive template for the provider to have a complete understanding from the provider’s inventory and attack surface to controls and mitigations. This template is very detailed and complete and covers all aspects of a cloud provider. It even takes a SaaS and PaaS provider, which have inherited risks from the infrastructure provider, into consideration.
Hi Jim – I certainly agree with your description of the document as “comprehensive”. It covers a huge number of topics and seems to be designed to aggregate as much relevant information as possible.
FedRAMP provides an in-depth template for an information system security plan (SSP) which includes: FIPS 199 information system categorization; documentation of controls (IAM, segregation of duties); assessment of information security controls, that is, controls are correctly implemented & functioning as intended and ongoing monitoring of controls for example, user education, awareness, and training.
One key takeaway I had from this reading is that the SSP is a very detailed document and would require a substantial amount of effort to compile and document. After reading 1800-18r1, I knew it would be detailed and probably lengthy, but it stood out to me just how much information is included in the Plan. As an auditor, having a document like this would be invaluable to understand the unique aspects of a system, the risks presented, the controls in place, and the status of the system and controls.
The FedRAMP System Security Plan template was actually much longer and more in-depth than I was expecting — even for a government document. One important, possibly overlooked aspect I noticed was the document revision history section. Because system security plans are living documents that need to be continuously reviewed, this section is vital. In my internship, I often review policies and security management plans that lack any sort of review tracking, which makes it hard to determine if it is still effective and accurate for the organization. On the other hand, I didn’t notice anywhere in the template where an organization could define how often the reviews need to take place or track reviews that didn’t result in changes and a new version of the document.
Jonathan, thank you for your input. I took note of the revision history section as well. This is a perfect example of how well this template is developed and the level of detail this template provides. It even takes into consideration of future modifications. To your second point, I believe it is an organization policy on the intervals in which the review needs to happen. Throughout my career, I am seeing at least a yearly review of such documentation to ensure accuracy, adequacy, and relevancy is the most common interval.
While reading NIST SP 800-18r1 my impression was that a security plan contained a lot of detailed information and after viewing the FedRAMP System Security Plan High Baseline Template that was confirmed. Using a detailed security plan template such as this one would help make sure all areas of security for an information system are covered and properly documented. Having such a detailed plan would allow all employees to be on the same page and know what to do in the event of an emergency.
The FedRAMP Template is a highly detailed document for cloud service provider which provide notes and outlines to guide organization in writing a System Security Plan. FedRAMP provides SSP templates for systems that qualify as “Low,” “Moderate” and “High” sensitivity levels based on the NIST FIPS 199. FIPS 199 classifies systems based on the types of information that may be stored within the information system. In general, systems that store very sensitive information such as personally identifiable information (PII) will be classified as High sensitivity level systems.
Great takeaway Wei! Information system categorization is a crucial component of an SSP, this impact rating determines the controls selected and implemented and is arguably the most crucial component, as it lays the foundation for the SSP to be built upon.
Reviewing this template, helped solidify my understanding of the prior readings. I did not have a true appreciation of just how detailed the System Security Plan is until reviewing this template. While I found the entire document useful, the detailed information under each control was very helpful, including the requirement to name the responsible party for each control. This template provides a robust basis to help an individual discern the minimum security and control considerations.
I had a very similar takeaway from this template Christa. I did not expect the template to be as detailed as it is. I also found the information under each control helpful, it added context to a topic that can be confusing.
This document is illustrative of the fact that information security risk management is not the responsibility of only IT professionals within an organization. Virtually all business units play a part in either the composition of a system security plan, must follow that plan, or both. In Section 9 of the template, the information security team would need to interface directly with the business units that rely on an information system to obtain an accurate description of the system, the information contained therein, and the system users. Also, Section 12 would require the legal team(s) within an enterprise to evaluate the information system(s) and determine the laws and regulations it would be exposed to.
Mitch thank you for your input, As you pointed out, in today’s security landscape and all the different attack surfaces an organization faces, in addition to the cloud migration, it’s getting harder and harder for IT/infosec alone to secure all aspect of the organization. I think this is the major driving force for organizations big and small to shift at least some of the focus to education and training. Implementing tools and methodologies such as Microsoft’s modern authentication, 2 FA, and Zero Trust definitely increased the level of security and released some of the workloads from IT/infosec, but as you pointed out, it is up to all business units and every member of the organization to do their part.
FedRAMP System Security Plan (SSP) High Baseline Template is a package of different types of information system template, including information system type, general system description, system architecture, data flow, system interconnection, laws and regulations, and scope of authorization, and all security controls and their implementation. It provides the users very detailed requirements to keep tracking the control. In the control summary information form, the user can choose the implementation status and control origination. It also has a template of what is the solution and how is it implemented. I am quite surprised how detail is the minimum security controls part.
Hi To-Yin, this is a good summary. The System Security Plan is the main document in which the Cloud Service Provider (CSP) describes all the security controls in use on the information system and their implementation. Also this document is intended to be used by service providers who are applying for a Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) or an Agency Authorization to Operate (ATO) through the Federal Risk and Authorization Management Program (FedRAMP).
This FedRAMP template called that System Security Plan (SSP) is to be used by service providers who are applying for a Joint Authorization Board, a Provisional Authorization to Operate, or an Agency Authorization to Operate through the Federal Risk and Authorization Management Program also known as FedRAMP. The key point of the System Security Plan or SSP is to provide a detailed outline of security controls, system components, and services inventory and a description of the system’s data flows within the organization.SSP also provides a list of minimum security control requirements categorized as low, moderate, or high as per FIPS 199.
Hi Elias, I appreciate your point acknowledging the audience of this document. I think it is important to remember that the system security plan template was curated with a specific purpose in mind: to direct specific federal boards and agencies. This provides us insight on the systems in which the plan aims to protect, which tells us why the plan was created with such specificity. I believe understanding any security system plan requires an understanding of the systems being protected.
The FedRAMP SSP High Baseline Template provides the FedRAMP High baseline security control fully detailed requirements for cloud systems. It also provides the framework to capture the system environment, system responsibilities, and the current status of the High baseline controls required for the system..
The FedRAMP SSP Template is a very lengthy, detailed, and comprehensive document that helps an organization’s information security system to process, transmit, or store. Through this template, the provider can have a 360 understanding of the security reuiqrements and controls in place/planned. The template splits the infromation system into 3 important categorizations: confidentiality, integrity, and availability sensitivity levels. This template will give employees a clear explanation of how all areas of an information system should be documented (point of contact, system owner, security objectives, system description, risk level etc.
They key point that stood out for me was the detailed template that is provided to government agencies to assist in building a defines security plan. The FEDRAMP template takes the FISMA requirements and guidance and provides a resource those needing to build out plan. With this, federal agencies are not having to start from scratch, they can assure the plan has everything they need, and they are able to customize it to fit their needs. With this, agencies can be sure there is a well-defined plan in place.
Hi Ashleigh! I agree with your point that the template is detailed and is intended for the use of governmental agencies or organizations working with the US government. However, the FEDRamp template may also be used by other entities such as business or not-for-profit organizations as guidance for risk management and information security. I am not sure when this temple was last revised, but I am curious to know if a newer one exists for commercial businesses or not-for-profit organizations.
I think the detailed plan template could be followed successfully by almost any organization,. The template is also comprehensive and incorporates other requirements and concepts such as FIPS 199 ad FISMA, After an organization implements a plan with this template, they would have a solid foundation in place.
One key takeaway from the document is the level of specificity outlined. For example, the document outlined a specific methodology for keeping track of system interconnections; ports, protocols, and services; and personnel roles and privileges. I found this lack of flexibility in terms of documentation to be surprising, as my background in IT has been founded in agile processes and continuous development, which often involves a great deal of flexibility. A key takeaway in which I enjoyed the high level of detail was the minimum security controls. In a world in which the number of security threats feels infinite, I found the list of minimum security controls, along with their sensitivity levels, to be extremely valuable for IT professionals. The table listed is a great reference for those seeking to create or improve system security plans.
I found that the fedRAMP chose to differentiate between Security Awareness Training and Role-Based Security training interesting and important. Within an organization, leaders need to tailor training to each group. Some groups, such as IT, will need more comprehensive security awareness training, while other groups, such as more administrative roles, will not need as much training, or will need different training. A distinction is important, because a blanket cybersecurity policy that only provides the same training across the board has a high likelihood to fail.
The FedRAMP System Security Plan (SSP) High Baseline Template provides cloud service providers a comprehensive template for the provider to have a complete understanding from the provider’s inventory and attack surface to controls and mitigations. This template is very detailed and complete and covers all aspects of a cloud provider. It even takes a SaaS and PaaS provider, which have inherited risks from the infrastructure provider, into consideration.
Hi Jim – I certainly agree with your description of the document as “comprehensive”. It covers a huge number of topics and seems to be designed to aggregate as much relevant information as possible.
FedRAMP provides an in-depth template for an information system security plan (SSP) which includes: FIPS 199 information system categorization; documentation of controls (IAM, segregation of duties); assessment of information security controls, that is, controls are correctly implemented & functioning as intended and ongoing monitoring of controls for example, user education, awareness, and training.
One key takeaway I had from this reading is that the SSP is a very detailed document and would require a substantial amount of effort to compile and document. After reading 1800-18r1, I knew it would be detailed and probably lengthy, but it stood out to me just how much information is included in the Plan. As an auditor, having a document like this would be invaluable to understand the unique aspects of a system, the risks presented, the controls in place, and the status of the system and controls.
The FedRAMP System Security Plan template was actually much longer and more in-depth than I was expecting — even for a government document. One important, possibly overlooked aspect I noticed was the document revision history section. Because system security plans are living documents that need to be continuously reviewed, this section is vital. In my internship, I often review policies and security management plans that lack any sort of review tracking, which makes it hard to determine if it is still effective and accurate for the organization. On the other hand, I didn’t notice anywhere in the template where an organization could define how often the reviews need to take place or track reviews that didn’t result in changes and a new version of the document.
Jonathan, thank you for your input. I took note of the revision history section as well. This is a perfect example of how well this template is developed and the level of detail this template provides. It even takes into consideration of future modifications. To your second point, I believe it is an organization policy on the intervals in which the review needs to happen. Throughout my career, I am seeing at least a yearly review of such documentation to ensure accuracy, adequacy, and relevancy is the most common interval.
While reading NIST SP 800-18r1 my impression was that a security plan contained a lot of detailed information and after viewing the FedRAMP System Security Plan High Baseline Template that was confirmed. Using a detailed security plan template such as this one would help make sure all areas of security for an information system are covered and properly documented. Having such a detailed plan would allow all employees to be on the same page and know what to do in the event of an emergency.
The FedRAMP Template is a highly detailed document for cloud service provider which provide notes and outlines to guide organization in writing a System Security Plan. FedRAMP provides SSP templates for systems that qualify as “Low,” “Moderate” and “High” sensitivity levels based on the NIST FIPS 199. FIPS 199 classifies systems based on the types of information that may be stored within the information system. In general, systems that store very sensitive information such as personally identifiable information (PII) will be classified as High sensitivity level systems.
Great takeaway Wei! Information system categorization is a crucial component of an SSP, this impact rating determines the controls selected and implemented and is arguably the most crucial component, as it lays the foundation for the SSP to be built upon.
Reviewing this template, helped solidify my understanding of the prior readings. I did not have a true appreciation of just how detailed the System Security Plan is until reviewing this template. While I found the entire document useful, the detailed information under each control was very helpful, including the requirement to name the responsible party for each control. This template provides a robust basis to help an individual discern the minimum security and control considerations.
I had a very similar takeaway from this template Christa. I did not expect the template to be as detailed as it is. I also found the information under each control helpful, it added context to a topic that can be confusing.
This document is illustrative of the fact that information security risk management is not the responsibility of only IT professionals within an organization. Virtually all business units play a part in either the composition of a system security plan, must follow that plan, or both. In Section 9 of the template, the information security team would need to interface directly with the business units that rely on an information system to obtain an accurate description of the system, the information contained therein, and the system users. Also, Section 12 would require the legal team(s) within an enterprise to evaluate the information system(s) and determine the laws and regulations it would be exposed to.
Mitch thank you for your input, As you pointed out, in today’s security landscape and all the different attack surfaces an organization faces, in addition to the cloud migration, it’s getting harder and harder for IT/infosec alone to secure all aspect of the organization. I think this is the major driving force for organizations big and small to shift at least some of the focus to education and training. Implementing tools and methodologies such as Microsoft’s modern authentication, 2 FA, and Zero Trust definitely increased the level of security and released some of the workloads from IT/infosec, but as you pointed out, it is up to all business units and every member of the organization to do their part.
FedRAMP System Security Plan (SSP) High Baseline Template is a package of different types of information system template, including information system type, general system description, system architecture, data flow, system interconnection, laws and regulations, and scope of authorization, and all security controls and their implementation. It provides the users very detailed requirements to keep tracking the control. In the control summary information form, the user can choose the implementation status and control origination. It also has a template of what is the solution and how is it implemented. I am quite surprised how detail is the minimum security controls part.
Hi To-Yin, this is a good summary. The System Security Plan is the main document in which the Cloud Service Provider (CSP) describes all the security controls in use on the information system and their implementation. Also this document is intended to be used by service providers who are applying for a Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) or an Agency Authorization to Operate (ATO) through the Federal Risk and Authorization Management Program (FedRAMP).
This FedRAMP template called that System Security Plan (SSP) is to be used by service providers who are applying for a Joint Authorization Board, a Provisional Authorization to Operate, or an Agency Authorization to Operate through the Federal Risk and Authorization Management Program also known as FedRAMP. The key point of the System Security Plan or SSP is to provide a detailed outline of security controls, system components, and services inventory and a description of the system’s data flows within the organization.SSP also provides a list of minimum security control requirements categorized as low, moderate, or high as per FIPS 199.
Hi Elias, I appreciate your point acknowledging the audience of this document. I think it is important to remember that the system security plan template was curated with a specific purpose in mind: to direct specific federal boards and agencies. This provides us insight on the systems in which the plan aims to protect, which tells us why the plan was created with such specificity. I believe understanding any security system plan requires an understanding of the systems being protected.
The FedRAMP SSP High Baseline Template provides the FedRAMP High baseline security control fully detailed requirements for cloud systems. It also provides the framework to capture the system environment, system responsibilities, and the current status of the High baseline controls required for the system..
The FedRAMP SSP Template is a very lengthy, detailed, and comprehensive document that helps an organization’s information security system to process, transmit, or store. Through this template, the provider can have a 360 understanding of the security reuiqrements and controls in place/planned. The template splits the infromation system into 3 important categorizations: confidentiality, integrity, and availability sensitivity levels. This template will give employees a clear explanation of how all areas of an information system should be documented (point of contact, system owner, security objectives, system description, risk level etc.
Quynh, I agree and I really like your points and they way that this was presented. the 360 understanding was a valuable point in the reading.
They key point that stood out for me was the detailed template that is provided to government agencies to assist in building a defines security plan. The FEDRAMP template takes the FISMA requirements and guidance and provides a resource those needing to build out plan. With this, federal agencies are not having to start from scratch, they can assure the plan has everything they need, and they are able to customize it to fit their needs. With this, agencies can be sure there is a well-defined plan in place.
Hi Ashleigh! I agree with your point that the template is detailed and is intended for the use of governmental agencies or organizations working with the US government. However, the FEDRamp template may also be used by other entities such as business or not-for-profit organizations as guidance for risk management and information security. I am not sure when this temple was last revised, but I am curious to know if a newer one exists for commercial businesses or not-for-profit organizations.
I think the detailed plan template could be followed successfully by almost any organization,. The template is also comprehensive and incorporates other requirements and concepts such as FIPS 199 ad FISMA, After an organization implements a plan with this template, they would have a solid foundation in place.
One key takeaway from the document is the level of specificity outlined. For example, the document outlined a specific methodology for keeping track of system interconnections; ports, protocols, and services; and personnel roles and privileges. I found this lack of flexibility in terms of documentation to be surprising, as my background in IT has been founded in agile processes and continuous development, which often involves a great deal of flexibility. A key takeaway in which I enjoyed the high level of detail was the minimum security controls. In a world in which the number of security threats feels infinite, I found the list of minimum security controls, along with their sensitivity levels, to be extremely valuable for IT professionals. The table listed is a great reference for those seeking to create or improve system security plans.