Lecture Notes on System Security Plan (SSP)

Introduction

• Presenter: Mike Green, Cybersecurity Engineer at Optics Cyber Solutions.
• Topic: High-level overview and walkthrough of System Security Plan (SSP).
• Objective: Understand core components and resources of SSPs.

What is a System Security Plan (SSP)?

• A document outlining security controls applied to a system to meet security requirements.
• Requirements typically sourced from security control catalogs like:
  • NIST 800-53
  • NIST 800-171
  • Cybersecurity Maturity Model Certification (CMMC)
• Characteristics:
  • A living document, updated as system and security controls evolve.

Background

• FISMA (2002): Required federal systems to document SSPs against NIST 800-53 controls.
• Federal Programs:
  • FedRAMP: Focuses on cloud service providers and technology.
  • CMMC: Focuses on Controlled Unclassified Information (CUI) for Defense Industrial Base organizations, emphasizing confidentiality.

Core Components of SSP

1. System Description

   • Purpose of the system.
   • Technical components: servers, workstations, virtual components, databases.

2. System Boundary

   • Components within the security boundary, usually with a network diagram.
   • Includes hardware and software inventory.

3. System Interconnections

   • Systems that interconnect for authentication, data transfer.

4. Data Elements

   • Types of data within the organization/application.
   • Drives required security controls.

5. User Types

   • General users and privileged users (administrators).

6. System Owner

   • Administrative owner of the system.
   • Responsible for security and operational control.

7. Security Controls

   • Protections around the system.

Security Controls

• NIST 800-53 Security Controls Catalog
  • Divided by family: access control, configuration management, physical/environmental controls, maintenance.
  • Controls can be technical, operational, managerial.
  • Levels: organizational or system-specific.

Scoping SSPs

• Application Specific: Focused on a single system or group of systems.
• Network Level: Encompasses infrastructure components, applications within a domain.
• Organizational/Enterprise Level: Covers common controls like physical security, personnel security, configuration management.

Important Considerations

• System Boundary: Key to defining security controls and components.
• Interconnections: Type of data, protocols, and protections for data transit.

Resources

• CMMC Profile Template
  • Maps CMMC practices against NIST 800-171.
  • Includes input fields for control implementation.
• FedRAMP Program Management Office: Guides and templates.

Contact and Follow-Up

• Questions: [email protected]
• Follow on LinkedIn, Twitter
• Subscribe for more cybersecurity topics.