FEDRAMP SSP provides important and detailed documentation and templates in the process of establishing and maintaining security for any and all information in an organization’s information security program. It details IS classification and assignment of security responsibilities for different roles. After classifying security controls, FEDRAMP SSP also identifies issues of responsibility, including legal regulations in other relevant legal information.
The High Baseline Template System Security Plan also gives details about security assessment and authentication, contingency planning, identification, incident response, and protection related to organizational and customer information. This template is helpful if the user enters the source of the control, so it is the responsibility of the appropriate person to know exactly how to implement, manage, and monitor the control. Access control ensures that the correct permissions to a control can access it and that unauthorized users cannot access the control.
I think the intersection of IT/InfoSec and Legal is very important, especially when evaluating vendors. I wanted to underscore this point from your post.
Legal review is critical as they can confirm that vendor contractual language meets the organization’s security plan and compliance requirements. A legal team that understands a security plan supports IT when negotiating contracts and identifying liabilities with the implementation of systems. A well adopted security plan helps facilitate partnerships across departments since it establishes a shared understanding of risk and processes.
FedRAMP is a government sponsored process using a risk-based approach to adopting the use of cloud based services supporting federal information. The baseline template is a form that captures the required classifications, controls, and security plans required by government agencies.
The template demonstrates how guidelines from FIPS and NIST can be used to assess a vendor’s security posture and allow government agencies to assess the risk profile of the system. This provides an efficient way for vendors to get authorized across government agencies since they all use the same classifications and frameworks. A shared understanding of risk makes the evaluation process easier and provides better insights into a solution’s security posture.
The FedRAMP SSP is a US government approach to the authorization, security assessment, and monitoring of cloud-service providers. These SSPs prove credibility, increase good communication, and provide a visualization of the strengths and weaknesses of the company’s security program so they know where to improve. The FedRAMP SSP High Baseline Template is used to provide the security control requirements for high impact systems. The template provides you with an outline you can use to capture the system’s environment , responsibilities, and current status of high impact controls that are required for the system.
Hi Michael,
I like how you broke down the benefits of developing a security assessment plan. It is important to not forget that the SSP should provide sufficient detail on how each control is being implemented in order for the third party assessment organization to develop a test approach for the control. Additionally, your mention of the cloud helped me consider how under some circumstances, the full implementation of a control is shared between cloud service providers and the user. With that being said, the security assessment plan also serves to define the boundaries for shared controls between the CSP and the client.
I like how you mentioned the benefits of this template. There is a lot to see in this template but I can say it’s a really good guide or an outline for companies to help them understand and implement the necessary controls they need for the operation of the company.
FedRAMP, the Federal Risk and Authorization Management Program, is a government program that provides standardized approach to security authorization, assessment, monitoring for cloud products and services. The high baseline template has included various information about the provider, guidelines and standards expected.
In the planning step, PL, security planning policy, system security plan, rules of behavior and information security system architecture is listed. I believe this part is crucial where the foundation and expected terms defined for the work.
The PL-4 — Rules of Behavior is well designed where it explains the organization’s alignment in information systems security. This specific one has listed the implementation and control origination based on responsible role.
I like your summary, FedRAMP creates and manages a core set of processes to ensure the effectiveness of cloud security. The purpose of this system security program is to ensure the confidentiality, integrity, and availability of corporate information.
The NIST SP 800-18r1 guide describes the purpose for developing a security plan as “[providing] an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements” (39). Aside from that, the objective of system security planning is to improve the protection of information system resources and outline responsibilities and expected behavior of all individuals who have access to the system. Considering federal systems such as Law Enforcement and Emergency Services systems, Financial systems, and Health systems have highly classified information and applications that are critical to the agency’s mission, it is imperative that the protection of these systems be documented in a SSP. This can explain why FedRAMP introduced their High Baseline to account for the government’s most sensitive environments with special emphasis on data that involves the protection of life and financial ruin.
FedRAMP System Security Plan (SSP) High Baseline Template is written in accordance with NIST Special Publication (SP) 800-18r1 and offers an outline to guide organizations who are in the process of writing an SSP. Once an organization identifies their system’s impact level, they can use the corresponding template and begin adding content to the designated sections. Some of the tasks they can expect are determining the implementation status, documenting a responsible role, declaring the control origination, and explaining what the solution is and how it is implemented for each of the required security controls. It is in the company’s best interest to produce a well written SSP because otherwise, it will only delay the assessment process and cost the cloud service provider’s valuable time and resources
I like how you emphasized writing a well-written security plan. During categorization of the system it is crucial that you outline the plan in great detail. The more time that you spend in the categorization phase and “select” controls – the easier the subsequent steps become. Having a well outlined plan makes creating assessments and generating test results much cleaner and easier to authorize.
The FedRAMP System Security Plan (SSP) provides a template to write the system security plan, such as providing system description, point of contacts, location, etc. It also provides a list of controls from the NIST 800-53 and gives the technical expert designing the security plan to describe if the security control is implemented, partially implemented, planned, alternate implementation, or non-applicable.
The plan also has attachments such as the Privacy Threshold Analysis/Privacy Impact Assessment to determine whether PII is notable on the system and if an assessment must be ran. Or templates for Configuration Management/Incident response/etc.
Essentially this plan provides the ability for the user/technical expert utilizing this document to begin step 2 of Risk Management Framework (NIST 800-37) and select the categorization of the system and begin developing documentation or determining their Implementation Plan. This is an excellent document.
The Federal Risk and Authorization Management program is a program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This template in accordance with NIST guides an organization identify their security boundaries using the System Security Plan.
It’s also used to describe where the controls are coming from and clearly defines the responsibility of each person who contribute to implement the processes or procedures. That way, each person knows what to do and is able to monitor and detect any unsuspicious activities in the system.
Overall, FedRamp is used to help an organization once determining their system boundaries, use the corresponding information to implement the controls, manage and monitor the controls to minimize the risk.
I found it interesting reading the FedRAMP High baseline template after having reviewed the NIST publication 800-18. When looking at the table of contents, you could see the amount of minimum security controls that would have to be implemented, due to the template being for a system with a high impact rating. I also noticed there was not a section allotted to document the completion and approval dates, and the ongoing system security plan maintenance. If a company were using the FedRAMP template I would recommend adding those two sections into their document, per NIST 800-18. I did find it would be beneficial to have the space for attachments at the end of the document to ensure that any supplemental material is present for whoever is reviewing the document, like for example how one of the attachments is the FIPS 199 template.
FedRAMP (Federal Risk Authorization Management Program) is a US government-wide approach to the security assessment, authorization and monitoring for cloud service providers (CSPs). CSPs are organizations that provide infrastructure, network, or business services on the cloud. The SSP report is the first report in the list of required materials for the FedRAMP Security Package. The SSP report is one of the most detailed reports and describes the security controls a CSP has implemented. The template is built on the guidelines of NIST and FIPS.
I agree the SSP report is the first important document for FEDRAMP and it also specifies the controls to be implemented by the cloud service provider (CSP) on the information systems of its customers and federal agencies.
The US government uses FedRAMP through the process of reviewing, authorizing and monitoring CSPs. One section that stood out to me from the FedRAMP form was the specific notes/documentation on points of contact. Selecting responsible persons and ensuring that communication is open is essential in any business partnership. Creating the documentation is helpful but without locking in specific people and accountability, communication becomes difficult and the system is significantly less efficient.
FEDRAMP System Security Plan identifies with the audit phase and separation of duties and responsibilities. This template is a resourceful security baseline template for checking the appropriate security postures required and how it supports business partnership..
I think you bring up a good point that although the documentation can be informative, it is important to have specific people accountable and there for any additional questions or references. Adding on to what you mentioned, it is important to keep those contacts up to date. Individuals change rolls or positions and a company needs to make sure the contacts are kept up to date. If not, it could lead to a situation where there is no accountability.
The FEDRAMP system security plan (SSP) is a baseline template with multiple-occuring data fields linked together and it is the most important document in the security package required to be used by organization for their security posture. The security posture describes the architecture and boundary of security control. It also includes details of processes for auditing and maintaining the system, in addition to information about how you plan to respond to security incidents that occur on the network. The system security plan accommodates the security standards of FIPS 199, FEDRAMP laws and regulations and also the separation of duties and processes for audit reviews, analysis, reports and maintaining the system. The important consideration of this system security plan is to ensure the security controls meet the minimun the security control baseline requirements.
I enjoyed how you describe the FEDRAMP SSP as the most important document in the security package required to be used by an organization for their security posture. These SSPs prove credibility, increase good communication, and provide a visualization of the strengths and weaknesses of the company’s security program so they know where to improve. This template provides you with an outline you can use to capture the system’s environment , responsibilities, and current status of high impact controls that are required for the system.
FedRAMP SSP High Baseline template is written accordance with NIST SP 800-18R1 for the use of cloud based services. This template captures required classification, controls, and security plan required by government agencies. Through this template, government agencies can know better about the vendors’ security postures and also assess the risk profiles of the systems. Furthermore, it will be easier in evaluation processes and better understanding of insights when the vendors and government agencies use the same classifications and frameworks.
It was interesting to see that this document / template mentioned FIPS 199 several times. In this reading it has been proclaimed that all authorization packages must include a Federal Information Processing Standard section, which will be reviewed for quality. Furthermore, “The FIPS-199 Categorization report includes the determination of the security impact level for the cloud environment that may host any or all of the service models: IaaS, PaaS and SaaS.” (page 408)
IaaS – Infrastructure as a service
PaaS – Platform as a service
SaaS – Software as a service
I am familiar with the above service models because they are in the CompTIA A+ and Security+ objectives, a total of 3 exams I studied for and passed in 2012 and 2013. I liked seeing something that I am familiar with, and get a refresher, or go into in more depth.
What I found really interesting about the FEDRAMP SSP High Baseline Template is just how lengthy and detailed it is. It put in perspective just how much work goes into the planning and how much man power it takes to make a successful SSP.
I agree Jason, I noticed that one of our classmates described the document as having an overwhelming amount of information. Indeed a lot of work and man power goes into planning a successful System Security Plan. An SSP outlines the roles and responsibilities of security personnel. It details various security standards and guidelines that the organization follows. Also, it includes many diagrams that show how connected systems communicate with one another.
Reading through the FEDRAMP security baseline template felt a bit overwhelming with home much information and detail that’s included. The FEDRAMP security plan covers several of the risk management concepts that were discussed in our other readings for this week and dives into great detail around the various kinds of security controls that need to be considered during a system implementation. It’s important for organizations to adequately fill out the requirement specifications for the system being implemented to ensure the appropriate security controls, which are outlined in this document, are deployed successfully and in proper order (from most required to least required).
I also felt a bit overwhelmed and intimidated by the size of the document and just how much information and detail it had in it. But at the same time it was great to see an actual template of the work that goes into an SSP and what is to be expected
I thought the same thing while looking over the FedRAMP template. It really is astonishing how much work goes into the development of an SSP, but it’s definitely essential to make sure the system’s security is protected to the highest capability.
FedRAMP, also known as The Federal Risk and Authorization Management Program is a United States federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The high-baseline template we looked at contains several features to facilitate data entry, basically, to describe all of the organization’s security controls on the system and the implementation of said controls. A key takeaway I took from looking over this document is just how detailed and complicated the template is. The plan covers everything, from minimum security controls to contingency planning to incident response, but the depth of the template is to ensure that the confidentiality, availability, & integrity of the system is upheld as information security is vital to FedRAMP guidelines.
FedRamp consisted a bunch of templates in regards to almost any security system plan that can be thought of and how to do it. The control requirements are outlined in the document for high impact cloud systems. The mainframe for the templates guideline are the implementation status, then the control origination, responsible role and the parameter fields that can be included for this summary checklist.
The FEDRAMP System Security Plan (SSP) very clearly defines the security impact level to implement risk management control process to every organization and individual who work in the security management process. It provides a very clear structure to the organization on how to implement and maintain security in the organization, what impact will be if security control on low, moderate of high. It included a detailed process setting up the baseline requirement of security control.
It covers up security structure, details of system security boundary, and architecture to how to maintain the system security baseline standard.it mentions the security awareness & training which is important to all employees up to date for the latest security breaches or upcoming challenges responsibility and understands to protect organization system security. Which is also useful to combat upcoming threats generated in upcoming days. It is a very important document for security engineers to understand physical threats, system security threats network security threats and what to do in incident happen, how to face incidents and overcome through it with low impact on current business continuity.
The system security plan is the main document in which the cloud service provider describes all the security controls in use on the information system and their implementation. The key point of the SSP I thought was interesting to learn about what PS-7 Third party personnel security. This establishes personnel security requirements including roles and responsibilities for 3rd party providers. It requires 3rd party providers to comply with these policies and procedures. It also monitors provider compliance and in the document it shows the implementation status, control origination and how it is implemented for the control summary information.
Yangyuan Lin says
FEDRAMP SSP provides important and detailed documentation and templates in the process of establishing and maintaining security for any and all information in an organization’s information security program. It details IS classification and assignment of security responsibilities for different roles. After classifying security controls, FEDRAMP SSP also identifies issues of responsibility, including legal regulations in other relevant legal information.
The High Baseline Template System Security Plan also gives details about security assessment and authentication, contingency planning, identification, incident response, and protection related to organizational and customer information. This template is helpful if the user enters the source of the control, so it is the responsibility of the appropriate person to know exactly how to implement, manage, and monitor the control. Access control ensures that the correct permissions to a control can access it and that unauthorized users cannot access the control.
Matthew Bryan says
Yangyuan,
I think the intersection of IT/InfoSec and Legal is very important, especially when evaluating vendors. I wanted to underscore this point from your post.
Legal review is critical as they can confirm that vendor contractual language meets the organization’s security plan and compliance requirements. A legal team that understands a security plan supports IT when negotiating contracts and identifying liabilities with the implementation of systems. A well adopted security plan helps facilitate partnerships across departments since it establishes a shared understanding of risk and processes.
Matthew Bryan says
FedRAMP is a government sponsored process using a risk-based approach to adopting the use of cloud based services supporting federal information. The baseline template is a form that captures the required classifications, controls, and security plans required by government agencies.
The template demonstrates how guidelines from FIPS and NIST can be used to assess a vendor’s security posture and allow government agencies to assess the risk profile of the system. This provides an efficient way for vendors to get authorized across government agencies since they all use the same classifications and frameworks. A shared understanding of risk makes the evaluation process easier and provides better insights into a solution’s security posture.
Michael Galdo says
The FedRAMP SSP is a US government approach to the authorization, security assessment, and monitoring of cloud-service providers. These SSPs prove credibility, increase good communication, and provide a visualization of the strengths and weaknesses of the company’s security program so they know where to improve. The FedRAMP SSP High Baseline Template is used to provide the security control requirements for high impact systems. The template provides you with an outline you can use to capture the system’s environment , responsibilities, and current status of high impact controls that are required for the system.
Elizabeth Gutierrez says
Hi Michael,
I like how you broke down the benefits of developing a security assessment plan. It is important to not forget that the SSP should provide sufficient detail on how each control is being implemented in order for the third party assessment organization to develop a test approach for the control. Additionally, your mention of the cloud helped me consider how under some circumstances, the full implementation of a control is shared between cloud service providers and the user. With that being said, the security assessment plan also serves to define the boundaries for shared controls between the CSP and the client.
Ornella Rhyne says
Hi Michael,
I like how you mentioned the benefits of this template. There is a lot to see in this template but I can say it’s a really good guide or an outline for companies to help them understand and implement the necessary controls they need for the operation of the company.
Miray Bolukbasi says
FedRAMP, the Federal Risk and Authorization Management Program, is a government program that provides standardized approach to security authorization, assessment, monitoring for cloud products and services. The high baseline template has included various information about the provider, guidelines and standards expected.
In the planning step, PL, security planning policy, system security plan, rules of behavior and information security system architecture is listed. I believe this part is crucial where the foundation and expected terms defined for the work.
The PL-4 — Rules of Behavior is well designed where it explains the organization’s alignment in information systems security. This specific one has listed the implementation and control origination based on responsible role.
Yangyuan Lin says
Hi Miray,
I like your summary, FedRAMP creates and manages a core set of processes to ensure the effectiveness of cloud security. The purpose of this system security program is to ensure the confidentiality, integrity, and availability of corporate information.
Elizabeth Gutierrez says
The NIST SP 800-18r1 guide describes the purpose for developing a security plan as “[providing] an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements” (39). Aside from that, the objective of system security planning is to improve the protection of information system resources and outline responsibilities and expected behavior of all individuals who have access to the system. Considering federal systems such as Law Enforcement and Emergency Services systems, Financial systems, and Health systems have highly classified information and applications that are critical to the agency’s mission, it is imperative that the protection of these systems be documented in a SSP. This can explain why FedRAMP introduced their High Baseline to account for the government’s most sensitive environments with special emphasis on data that involves the protection of life and financial ruin.
Elizabeth Gutierrez says
My apologies, this comment was meant for the previous article.
Elizabeth Gutierrez says
FedRAMP System Security Plan (SSP) High Baseline Template is written in accordance with NIST Special Publication (SP) 800-18r1 and offers an outline to guide organizations who are in the process of writing an SSP. Once an organization identifies their system’s impact level, they can use the corresponding template and begin adding content to the designated sections. Some of the tasks they can expect are determining the implementation status, documenting a responsible role, declaring the control origination, and explaining what the solution is and how it is implemented for each of the required security controls. It is in the company’s best interest to produce a well written SSP because otherwise, it will only delay the assessment process and cost the cloud service provider’s valuable time and resources
Michael Duffy says
Hi Elizabeth,
I like how you emphasized writing a well-written security plan. During categorization of the system it is crucial that you outline the plan in great detail. The more time that you spend in the categorization phase and “select” controls – the easier the subsequent steps become. Having a well outlined plan makes creating assessments and generating test results much cleaner and easier to authorize.
Michael Duffy says
The FedRAMP System Security Plan (SSP) provides a template to write the system security plan, such as providing system description, point of contacts, location, etc. It also provides a list of controls from the NIST 800-53 and gives the technical expert designing the security plan to describe if the security control is implemented, partially implemented, planned, alternate implementation, or non-applicable.
The plan also has attachments such as the Privacy Threshold Analysis/Privacy Impact Assessment to determine whether PII is notable on the system and if an assessment must be ran. Or templates for Configuration Management/Incident response/etc.
Essentially this plan provides the ability for the user/technical expert utilizing this document to begin step 2 of Risk Management Framework (NIST 800-37) and select the categorization of the system and begin developing documentation or determining their Implementation Plan. This is an excellent document.
Ornella Rhyne says
The Federal Risk and Authorization Management program is a program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This template in accordance with NIST guides an organization identify their security boundaries using the System Security Plan.
It’s also used to describe where the controls are coming from and clearly defines the responsibility of each person who contribute to implement the processes or procedures. That way, each person knows what to do and is able to monitor and detect any unsuspicious activities in the system.
Overall, FedRamp is used to help an organization once determining their system boundaries, use the corresponding information to implement the controls, manage and monitor the controls to minimize the risk.
Ryan Trapp says
I found it interesting reading the FedRAMP High baseline template after having reviewed the NIST publication 800-18. When looking at the table of contents, you could see the amount of minimum security controls that would have to be implemented, due to the template being for a system with a high impact rating. I also noticed there was not a section allotted to document the completion and approval dates, and the ongoing system security plan maintenance. If a company were using the FedRAMP template I would recommend adding those two sections into their document, per NIST 800-18. I did find it would be beneficial to have the space for attachments at the end of the document to ensure that any supplemental material is present for whoever is reviewing the document, like for example how one of the attachments is the FIPS 199 template.
Shubham Patil says
FedRAMP (Federal Risk Authorization Management Program) is a US government-wide approach to the security assessment, authorization and monitoring for cloud service providers (CSPs). CSPs are organizations that provide infrastructure, network, or business services on the cloud. The SSP report is the first report in the list of required materials for the FedRAMP Security Package. The SSP report is one of the most detailed reports and describes the security controls a CSP has implemented. The template is built on the guidelines of NIST and FIPS.
Oluwaseun Soyomokun says
I agree the SSP report is the first important document for FEDRAMP and it also specifies the controls to be implemented by the cloud service provider (CSP) on the information systems of its customers and federal agencies.
Amelia Safirstein says
The US government uses FedRAMP through the process of reviewing, authorizing and monitoring CSPs. One section that stood out to me from the FedRAMP form was the specific notes/documentation on points of contact. Selecting responsible persons and ensuring that communication is open is essential in any business partnership. Creating the documentation is helpful but without locking in specific people and accountability, communication becomes difficult and the system is significantly less efficient.
Oluwaseun Soyomokun says
FEDRAMP System Security Plan identifies with the audit phase and separation of duties and responsibilities. This template is a resourceful security baseline template for checking the appropriate security postures required and how it supports business partnership..
Ryan Trapp says
Hi Amelia,
I think you bring up a good point that although the documentation can be informative, it is important to have specific people accountable and there for any additional questions or references. Adding on to what you mentioned, it is important to keep those contacts up to date. Individuals change rolls or positions and a company needs to make sure the contacts are kept up to date. If not, it could lead to a situation where there is no accountability.
Oluwaseun Soyomokun says
The FEDRAMP system security plan (SSP) is a baseline template with multiple-occuring data fields linked together and it is the most important document in the security package required to be used by organization for their security posture. The security posture describes the architecture and boundary of security control. It also includes details of processes for auditing and maintaining the system, in addition to information about how you plan to respond to security incidents that occur on the network. The system security plan accommodates the security standards of FIPS 199, FEDRAMP laws and regulations and also the separation of duties and processes for audit reviews, analysis, reports and maintaining the system. The important consideration of this system security plan is to ensure the security controls meet the minimun the security control baseline requirements.
Michael Galdo says
Hello Oluwaseun,
I enjoyed how you describe the FEDRAMP SSP as the most important document in the security package required to be used by an organization for their security posture. These SSPs prove credibility, increase good communication, and provide a visualization of the strengths and weaknesses of the company’s security program so they know where to improve. This template provides you with an outline you can use to capture the system’s environment , responsibilities, and current status of high impact controls that are required for the system.
Hang Nu Song Nguyen says
FedRAMP SSP High Baseline template is written accordance with NIST SP 800-18R1 for the use of cloud based services. This template captures required classification, controls, and security plan required by government agencies. Through this template, government agencies can know better about the vendors’ security postures and also assess the risk profiles of the systems. Furthermore, it will be easier in evaluation processes and better understanding of insights when the vendors and government agencies use the same classifications and frameworks.
Joshua Moses says
It was interesting to see that this document / template mentioned FIPS 199 several times. In this reading it has been proclaimed that all authorization packages must include a Federal Information Processing Standard section, which will be reviewed for quality. Furthermore, “The FIPS-199 Categorization report includes the determination of the security impact level for the cloud environment that may host any or all of the service models: IaaS, PaaS and SaaS.” (page 408)
IaaS – Infrastructure as a service
PaaS – Platform as a service
SaaS – Software as a service
I am familiar with the above service models because they are in the CompTIA A+ and Security+ objectives, a total of 3 exams I studied for and passed in 2012 and 2013. I liked seeing something that I am familiar with, and get a refresher, or go into in more depth.
Jason Burwell says
What I found really interesting about the FEDRAMP SSP High Baseline Template is just how lengthy and detailed it is. It put in perspective just how much work goes into the planning and how much man power it takes to make a successful SSP.
Joshua Moses says
I agree Jason, I noticed that one of our classmates described the document as having an overwhelming amount of information. Indeed a lot of work and man power goes into planning a successful System Security Plan. An SSP outlines the roles and responsibilities of security personnel. It details various security standards and guidelines that the organization follows. Also, it includes many diagrams that show how connected systems communicate with one another.
Bryan Garrahan says
Reading through the FEDRAMP security baseline template felt a bit overwhelming with home much information and detail that’s included. The FEDRAMP security plan covers several of the risk management concepts that were discussed in our other readings for this week and dives into great detail around the various kinds of security controls that need to be considered during a system implementation. It’s important for organizations to adequately fill out the requirement specifications for the system being implemented to ensure the appropriate security controls, which are outlined in this document, are deployed successfully and in proper order (from most required to least required).
Jason Burwell says
Hello Bryan,
I also felt a bit overwhelmed and intimidated by the size of the document and just how much information and detail it had in it. But at the same time it was great to see an actual template of the work that goes into an SSP and what is to be expected
Alexander William Knoll says
Hey Bryan,
I thought the same thing while looking over the FedRAMP template. It really is astonishing how much work goes into the development of an SSP, but it’s definitely essential to make sure the system’s security is protected to the highest capability.
Alexander William Knoll says
FedRAMP, also known as The Federal Risk and Authorization Management Program is a United States federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The high-baseline template we looked at contains several features to facilitate data entry, basically, to describe all of the organization’s security controls on the system and the implementation of said controls. A key takeaway I took from looking over this document is just how detailed and complicated the template is. The plan covers everything, from minimum security controls to contingency planning to incident response, but the depth of the template is to ensure that the confidentiality, availability, & integrity of the system is upheld as information security is vital to FedRAMP guidelines.
Wilmer Monsalve says
FedRamp consisted a bunch of templates in regards to almost any security system plan that can be thought of and how to do it. The control requirements are outlined in the document for high impact cloud systems. The mainframe for the templates guideline are the implementation status, then the control origination, responsible role and the parameter fields that can be included for this summary checklist.
Mohammed Syed says
The FEDRAMP System Security Plan (SSP) very clearly defines the security impact level to implement risk management control process to every organization and individual who work in the security management process. It provides a very clear structure to the organization on how to implement and maintain security in the organization, what impact will be if security control on low, moderate of high. It included a detailed process setting up the baseline requirement of security control.
It covers up security structure, details of system security boundary, and architecture to how to maintain the system security baseline standard.it mentions the security awareness & training which is important to all employees up to date for the latest security breaches or upcoming challenges responsibility and understands to protect organization system security. Which is also useful to combat upcoming threats generated in upcoming days. It is a very important document for security engineers to understand physical threats, system security threats network security threats and what to do in incident happen, how to face incidents and overcome through it with low impact on current business continuity.
Corey Arana says
The system security plan is the main document in which the cloud service provider describes all the security controls in use on the information system and their implementation. The key point of the SSP I thought was interesting to learn about what PS-7 Third party personnel security. This establishes personnel security requirements including roles and responsibilities for 3rd party providers. It requires 3rd party providers to comply with these policies and procedures. It also monitors provider compliance and in the document it shows the implementation status, control origination and how it is implemented for the control summary information.