Definitions[]
A system security plan is a
| “ | [f]ormal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.[1] | ” |
| “ | formal document listing the tasks necessary to meet system security requirements, a schedule for their accomplishments, and to whom responsibilities for each task are assigned.[2] | ” |
| “ | [a] document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how security requirements are implemented; and the relationships with or connections to other systems.[3] | ” |
Overview[]
OMB Circular No. A-130 requires that agencies develop system security plans for major applications and general support systems, and that these plans address policies and procedures for providing management, operational, and technical controls. NIST Special Publication 800-53 states that the security plan should be updated to address changes to the system, its environment of operation, or problems identified during plan implementation or security control assessments.
One of the controls recommended by NIST Special Publication 800-53 is the development of an inventory of an information system’s components. This inventory should, among other things, accurately reflect the current information system, be consistent with the authorized boundary of the system, and be available for review.
References[]
- ↑ FIPS 200.
- ↑ Practices for Securing Critical Information Assets, Glossary, at 58.
- ↑ NIST Special Publication 800-171B, App. B, at 50.