🛡️

System Security Plan (SSP) Overview by Mike Green

Jun 6, 2024

System Security Plan (SSP)

Introduction

  • Speaker: Mike Green, Cyber Security Engineer at Optics Cyber Solutions
  • Topic: Overview of a System Security Plan (SSP)

Definition of SSP

  • A document providing an overview of security controls applied to a system to meet specific security requirements.
  • Requirements drawn from catalogs such as:
    • NIST 853
    • NIST 800-171
    • CMMC (Cyber Security Maturity Model Certification)
  • SSP is a living document, updated throughout the system lifecycle.

Background

  • FISMA (2002): Mandated federal systems documentation within an SSP using NIST 853 controls.
  • Federal Programs:
    • FedRAMP: Focus on cloud service providers and cloud technologies.
    • CMMC: Targets controlled unclassified information for defense industrial base organizations.

Core Components of an SSP

  1. System Description
    • Business purpose and technical components (servers, workstations, databases, etc.).
  2. System Boundary
    • Components within the security boundary, typically documented with a network diagram.
    • Includes hardware and software inventory.
  3. System Interconnections
    • Systems interacting with the scoped system (authentication services, data transfer, etc.).
  4. Data Elements
    • Types of data within the system/application, impacting required security controls.
  5. User Types
    • General users (end users) and privileged users (administrators).
  6. System Owner
    • Administrative owner responsible for the system's operational control and security.
  7. Security Controls
    • Protections around the system, detailed in catalogs like NIST 853.

Security Controls

  • Derived from catalogs such as NIST 853.
  • Controls classified by family (e.g., access control, configuration management, physical/environmental controls).
  • Types of controls: technical, operational, managerial.
  • Can apply at different levels: organizational, system-specific.

Scoping SSPs

  • Application-Specific: Documenting one system or a group at a low level.
  • Network Level: Secure enclaves, including infrastructure components and multiple applications.
  • Organizational Level: Program security controls applicable across the organization (physical controls, personnel security, etc.).

Important Considerations

  • System Boundary: Defines the boundary and security controls, critical for successful SSP development.
  • System Interconnections: Protocols, data types, and protections for external/internal data transit.

Resources

  1. CMMC Profile Template: Practices mapped against NIST 800-171 with input fields for documentation.
  2. FedRAMP Program Management Office: Guides and templates for starting SSP development.

Contact Information

  • Email: [email protected]
  • Follow on: LinkedIn, Twitter
  • Subscribe: For more cybersecurity topics

Conclusion

  • Reach out for questions and additional information.

Full transcript