🛡️

Risk Management Framework and System Security Plans

Jun 6, 2024

Risk Management Framework and System Security Plans (SSP)

Introduction

  • Presenter: Bruce
  • Topics: Risk Management Framework, Cybersecurity, System Security Plans (SSP), Information Technology

Key Questions from the Audience

  • Jackie O: Example of an acceptable deliverable SSP
  • Clarification: Mislink, detailed on convo courses

System Security Plan (SSP)

  • Definition: A comprehensive document explaining the security posture of an organization
  • Purpose: Federal government requires evidence of security, not just claims

NIST 853 and Authorization Package

  • Security Controls: Defined by NIST 853
  • Authorization Package Components:
    • System Security Plan (SSP)
    • Plan of Action and Milestones (POAM)
    • Assessment Report
    • Artifacts (evidence like scans, backups)

Acceptable Deliverable for SSP

  • Varies by Organization: Different expectations and definitions of acceptable evidence
  • Examples of Evidence:
    • Screenshots of recent backups
    • Policies detailing backup frequency
    • Configuration details of backup systems
  • Role of Cybersecurity Professionals: Determine organization's expectations

Real-World Examples

  • Different Company Expectations:
    • Company A: Policy document was enough
    • Company B: Required screenshots and more detailed evidence
  • Artifact Examples:
    • Stakeholders List: Title, Name, Email, Contact Information
    • Hardware/Software List: Hostnames, IPs, OS version, Serial numbers, etc.
    • Scan Results: Concrete evidence of security status

Tools to Manage SSP

  • Challenges with Word Documents: Hard to manage and update
  • Alternative Tools:
    • Databases (e.g., eMass, Xacta, Archer)
    • Excel Spreadsheets: Limited capability
  • Advantages of Databases: Easier management, updates, comprehensive search capability

Additional Insights

  • Phone Consultations: Limited availability, offered to long-term followers and course purchasers
  • GRC Systems: Utilize governance, risk, and compliance systems to manage SSPs
    • Examples: Archer, Air Force systems (e.g., eMass)

Student Guidance

  • For Job Seekers: Reflect RMF experience in resumes
    • Include documentation, scanning, procedure writing, technical assessments
  • Small Organizations: Use Word documents or excel for limited scope SSPs

Miscellaneous

Conclusion

  • Interactive Discussion: Audience questions about practical applications
  • Next Steps: Continuous learning and updates

Full transcript