NIST 800-171 - System Security Plans (3.12.4)

Overview:
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Action Items:
3.12.4[a]
Determine if: a system security plan is developed.

3.12.4[b]
Determine if: the system boundary is described and documented in the system security plan.

3.12.4[c]
Determine if: the system environment of operation is described and documented in the system security plan.

3.12.4[d]
Determine if: the security requirements identified and approved by the designated authority as non-applicable are identified.

3.12.4[e]
Determine if: the method of security requirement implementation is described and documented in the system security plan.

3.12.4[f]
Determine if: the relationship with or connection to other systems is described and documented in the system security plan.

3.12.4[g]
Determine if: the frequency to update the system security plan is defined.

3.12.4[h]
Determine if: system security plan is updated with the defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Security planning policy; procedures addressing system security plan development and implementation; procedures addressing system security plan reviews and updates; enterprise architecture documentation; system security plan; records of system security plan reviews and updates; other relevant documents or records].

2
Interview: Personnel with security planning and system security plan implementation responsibilities; personnel with information security responsibilities].

3
Test: Organizational processes for system security plan development, review, update, and approval; mechanisms supporting the system security plan].

Related Documents (document name and content will vary by organization):
1) Security planning policy
2) procedures addressing system security plan development and implementation
3) procedures addressing system security plan reviews and updates
4) enterprise architecture documentation
5) system security plan
6) records of system security plan reviews and updates
7) other relevant documents or records

Additional Guidance:
Security plans relate security requirements to a set of security controls. Security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls. Security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition.

Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. NIST Special Publication 800-18 provides guidance on developing security plans.