CA.2.157

Control Acronym

CA

Family

Security Assessment

CMMC Level

2

800-171 Control #

3.12.4

CMMC Description

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

CMMC Clarification

A system security plan (SSP) is a document that outlines how an organization implements its security requirements. An SSP outlines the roles and responsibilities of security personnel. It details the different security standards and guidelines that the organization follows. An SSP should include high-level diagrams that show how connected systems talk to each other. The organization should outline in its SSP its design philosophies. Design philosophies include defense-in-depth strategies as well as allowed interfaces and network protocols. All information in the SSP should be high-level. Include enough information in the plan to guide the design implementation of the organization’s systems. Reference existing policies and procedures in the SSP. Example You are in charge of system security in your organization. As part of your job, you develop a system security plan (SSP). The SSP tells all employees how they can meet the organization’s system security goals. The information in the SSP should explain how you should handle your important information. Examples include who can access important information, where you should store it, and how you can transmit it. By defining a clear SSP, you can design and build your network to ensure that it meets the SSP-defined goals. You can also use your SSP to outline the organization’s: * security requirements * the current status of the requirements * your plan to meet the requirements in the future.

800-171 Description

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

800-171 Discussion

System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls.28 There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.12.4 is conveyed in those plans. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [SP 800-18] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 PL-2

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.12.4

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.IP-7

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

CA.2.157.[a] a system security plan is developed;

Assessment Sub-Criteria 2

CA.2.157.[b] the system boundary is described and documented in the system security plan;

Assessment Sub-Criteria 3

CA.2.157.[c] the system environment of operation is described and documented in the system security plan;

Assessment Sub-Criteria 4

CA.2.157.[d] the security requirements identified and approved by the designated authority as non-applicable are identified;

Assessment Sub-Criteria 5

CA.2.157.[e] the method of security requirement implementation is described and documented in the system security plan;

Assessment Sub-Criteria 6

CA.2.157.[f] the relationship with or connection to other systems is described and documented in the system security plan;

Assessment Sub-Criteria 7

CA.2.157.[g] the frequency to update the system security plan is defined; and

Assessment Sub-Criteria 8

CA.2.157.[h] system security plan is updated with the defined frequency.

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15