hi my name is mike green i'm a cyber security engineer with optics cyber solutions today i'd like to provide a high level overview of a system security plan kind of walk through some of the core components and then also take a walk through some uh hopefully helpful resources at the end of the presentation so a system security plan or ssp is essentially a document that provides an overview of the security controls applied to a system to meet specific security requirements those security requirements are typically drawn from a security controls catalog such as nist 853 800 171 or even the more recent cmmc or cyber security maturity model certification um a critical piece of the system security plan is that it's a living document so if the intention is for it to be updated throughout the lifecycle of the system as the system changes and as security controls uh change with the system a quick background on the use of ssps when fisma passed in 2002 it required that the federal government document all of their federal systems within an ssp against the nist 853 security controls depending on the relevant baseline low moderate or high depending on the data within the system and over time the federal government has instituted additional programs such as fedramp which focuses on cloud service providers and cloud technologies as well as cmmc which is focused on controlled unclassified information for deb or defense industrial based uh organizations supporting the government focusing primarily on confidentiality there are several core components to an ssp starting with the system description which is really the business purpose of the system as well as the technical components you know the servers the workstations any virtual components uh databases things like that um the system boundary is really around the components within a security branch or system boundary so the actual items that comprise the system that's typically documented with a network diagram we kind of scope in to the specific boundary anything that will be included within the the system itself but also include uh hardware and software inventory for all the components to kind of make up the system system interconnections these are any systems that the system under tests or within scope interconnects with so that could be for authentication services data transfer type services between the various systems uh data elements that's really critical piece that'll kind of drive the the types of security controls that may be required but this is really the types of data within the org within the application itself uh the sensitive data more sensitive does have varying levels of sensitivity within the the system user types user types are defined as both general users um so essentially end users as well as the any privileged users that actually administer the system itself the system owner is really the administrative owner of the system itself you know there's various varying components ultimately responsible for the system uh security requirements the controls as well as the overall operational control of the system and then finally here the most important pieces of security controls which are really the protections around the system itself speaking of security controls here we have a table table one from nist 853 which is a security controls catalog security and privacy controls and here you'll see that they're broken down by family um so you have access control uh configuration management you even see some physical and environmental controls as well maintenance so really these are controls that sort of um you know control the system from a security perspective some are technical some are operational some of them are managerial um some will sit at organizational levels some will be more system specific but it's really you know it's the holistic view of the security boundary security controls around the system itself and as you can see ssps can really be scoped at varying levels you could start with the application specific scope where you're really just documenting one system or maybe a group of systems really at a at a real low lower level so really the controls are really around one system one specific functionality um and you kind of build these controls here around that can also be abstracted up to a network um level which can you know typically be more enclave and be a secure enclave we have both the infrastructure components as well as uh varying applications within a specific domain and they kind of build these security controls around that specific boundary you can also have organizational enterprise level uh program security controls and this is really you know where you're kind of documenting the the um what the the organizational common controls across the organization so that would probably be more the physical controls you know personnel security things like that configuration management which will kind of apply across the organization regardless of what type of specific technologies in scope there are several important considerations that go into the development of an ssp from experience have found that the system boundary is key to success to any development of system security plan this is really where you're defining the boundary of the system uh the security controls that will be applied and all the components that will reside within that security boundary in addition to security boundary another key uh critical piece are the interconnections with the relevant system and scope you know what type of data are those interconnections providing uh the protocol the protocols ports um etc what types of protections are are being used as data transit between the external systems and internal systems if you're looking to develop an ssp or simply want to learn more i've included a few resources here the first is our cmc profile template it includes the cmmc practices mapped against nist 800 171 kind of brings them together into one tab so you can kind of see the deltas across the different models it also includes input fields so that you can document any uh control implementation as you kind of start to build out ssp for your for your system this then the fedramp program management office also includes some guides and templates to kind of help you get started if you have any questions please reach out at info opticscyber.com also follow us on linkedin and twitter and subscribe below for more relevant cyber security topics thanks for watching