NIST SP 800-18r1 Chapter 1
Today's rapidly changing technical environment requires federal agencies to adopt a minimum set of security controls to protect their information and information systems. Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, specifies the minimum security requirements for federal information and information systems in seventeen security-related areas. Federal agencies must meet the minimum security requirements defined in FIPS 200 through the use of the security controls in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. NIST SP 800-53 contains the management, operational, and technical safeguards or countermeasures prescribed for an information system. The controls selected or planned must be documented in a system security plan. This document provides guidance for federal agencies for developing system security plans for federal information systems.
Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), requires each federal agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. System security planning is an important activity that supports the system development life cycle (SDLC) and should be updated as system events trigger the need for revision in order to accurately reflect the most current state of the system. The system security plan provides a summary of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. The plan also may reference other key security-related documents for the information system such as a risk assessment, plan of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan, configuration management plan, security configuration checklists, and system interconnection agreements as appropriate.
1.2 Target Audience
Program managers, system owners, and security personnel in the organization must understand the system security planning process. In addition, users of the information system and those responsible for defining system requirements should be familiar with the system security planning process. Those responsible for implementing and managing information systems must participate in addressing security controls to be applied to their systems. This guidance provides basic information on how to prepare a system security plan and is designed to be adaptable in a variety of organizational structures and used as reference by those having assigned responsibility for activity related to security planning.
1.3 Organization of Document
This publication introduces a set of activities and concepts to develop an information system security plan. A brief description of its contents follows:
- Chapter 1 includes background information relevant to the system security planning process, target audience, information on FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, a discussion of the various categories of information systems, identification of related NIST publications, and a description of the roles and responsibilities related to the development of system security plans.
- Chapter 2 discusses how agencies should analyze their information system inventories in the process of establishing system boundaries. It also discusses identification of common security controls and scoping guidance.
- Chapter 3 takes the reader through the steps of system security plan development.
- Appendix A provides a system security plan template.
- Appendix B provides a glossary of terms and definitions.
- Appendix C includes references that support this publication.
1.4 Systems Inventory and Federal Information Processing Standards (FIPS 199)
FISMA requires that agencies have in place an information systems inventory. All information systems in the inventory should be categorized using FIPS 199 as a first step in the system security planning activity.
FIPS 199 is the mandatory standard to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to impact. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices.
1.5 Major Applications, General Support Systems, and Minor Applications
All information systems must be covered by a system security plan and labeled as a major application1 or general support system.2 Specific system security plans for minor applications3 are not required because the security controls for those applications are typically provided by the general support system or major application in which they operate. In those cases where the minor application is not connected to a major application or general support system, the minor application should be briefly described in a general support system plan that has either a common physical location or is supported by the same organization. Additional information is provided in Chapter 2.
1.6 Other Related NIST Publications
In order to develop the system security plan, it is necessary to be familiar with NIST security standards and guidelines. It is essential that users of this publication understand the requirements and methodology for information system categorization as described in NIST FIPS 199 as well as the requirements for addressing minimum security controls for a given system as described in NIST SP 800-53, Recommended Security Controls for Federal Information Systems, and FIPS 200, Minimum Security Requirements for Federal information and Information System.
Other key NIST publications directly supporting the preparation of the security plan are NIST SP 800-30, Risk Management Guide for Information Technology Systems, and NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. All documents can be obtained from the NIST Computer Security Resource Center website at: http://csrc.nist.gov/.
1.7 System Security Plan Responsibilities
Agencies should develop policy on the system security planning process. System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls. In addition, procedures should require that system security plans be developed and reviewed prior to proceeding with the security certification and accreditation process for the system.
During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. The certification agent confirms that the security controls described in the system security plan are consistent with the FIPS 199 security category determined for the information system, and that the threat and vulnerability identification and initial risk determination are identified and documented in the system security plan, risk assessment, or equivalent document. The results of a security certification are used to reassess the risks, develop the plan of action and milestones (POA&Ms) which are required to track remedial actions, and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision. For additional information on the certification and accreditation process, see NIST SP 800-37. Figure 1, depicts the key inputs/outputs into the security planning process.
Figure 1: Security Planning Process Inputs/Outputs
The roles and responsibilities in this section are specific to information system security planning. Recognizing that agencies have widely varying missions and organizational structures, there may be differences in naming conventions for security planning-related roles and how the associated responsibilities are allocated among agency personnel (e.g., multiple individuals filling a single role or one individual filling multiple roles4).
1.7.1 Chief Information Officer
The Chief Information Officer (CIO)5 is the agency official responsible for developing and maintaining an agency-wide information security program and has the following responsibilities for system security planning:
- Designates a senior agency information security officer (SAISO) who shall carry out the CIO's responsibilities for system security planning,
- Develops and maintains information security policies, procedures, and control techniques to address system security planning,
- Manages the identification, implementation, and assessment of common security controls,
- Ensures that personnel with significant responsibilities for system security plans are trained,
- Assists senior agency officials with their responsibilities for system security plans, and
- Identifies and coordinates common security controls for the agency.
1.7.2 Information System Owner
The information system owner6 is the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system. The information system owner has the following responsibilities related to system security plans:
- Develops the system security plan in coordination with information owners, the system administrator, the information system security officer, the senior agency information security officer, and functional "end users,"
- Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements,
- Ensures that system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior),
- Updates the system security plan whenever a significant change occurs, and
- Assists in the identification, implementation, and assessment of the common security controls.
1.7.3 Information Owner
The information owner is the agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. The information owner has the following responsibilities related to system security plans:
- Establishes the rules for appropriate use and protection of the subject data/information (rules of behavior),7
- Provides input to information system owners regarding the security requirements and security controls for the information system(s) where the information resides,
- Decides who has access to the information system and with what types of privileges or access rights, and
- Assists in the identification and assessment of the common security controls where the information resides.
1.7.4 Senior Agency Information Security Officer (SAISO)
The senior agency information security officer is the agency official responsible for serving as the CIO's primary liaison to the agency's information system owners and information system security officers. The SAISO has the following responsibilities related to system security plans:
- Carries out the CIO's responsibilities for system security planning,
- Coordinates the development, review, and acceptance of system security plans with information system owners, information system security officers, and the authorizing official,
- Coordinates the identification, implementation, and assessment of the common security controls, and
- Possesses professional qualifications, including training and experience, required to develop and review system security plans.
1.7.5 Information System Security Officer
The information system security officer is the agency official assigned responsibility by the SAISO, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program. The information system security officer has the following responsibilities related to system security plans:
- Assists the senior agency information security officer in the identification, implementation, and assessment of the common security controls, and
- Plays an active role in developing and updating the system security plan as well as coordinating with the information system owner any changes to the system and assessing the security impact of those changes.
1.7.6 Authorizing Official
The authorizing official (or designated approving/accrediting authority as referred to by some agencies) is a senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.8 The authorizing official has the following responsibilities related to system security plans:
- Approves system security plans,
- Authorizes operation of an information system,
- Issues an interim authorization to operate the information system under specific terms and conditions, or
- Denies authorization to operate the information system (or if the system is already operational, halts operations) if unacceptable security risks exist.
1.8 Rules of Behavior
The rules of behavior, which are required in [[OMB Circular A-130, Appendix III]], and is a security control contained in NIST SP 800-53, should clearly delineate responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for access to the system. It is required that the rules contain a signature page for each user to acknowledge receipt, indicating that they have read, understand, and agree to abide by the rules of behavior. Electronic signatures are acceptable for use in acknowledging the rules of behavior.
Figure 2 lists examples from OMB Circular A-130 Appendix III of what should be covered in typical rules of behavior. These are examples only and agencies have flexibility in the detail and contents. When developing the rules of behavior, keep in mind that the intent is to make all users accountable for their actions by acknowledging that they have read, understand, and agree to abide by the rules of behavior. The rules should not be a complete copy of the security policy or procedures guide, but rather cover, at a high level, some of the controls described in the following Figure.
Figure 2: Rules of Behavior Examples
1.9 System Security Plan Approval
Organizational policy should clearly define who is responsible for system security plan approval and procedures developed for plan submission, including any special memorandum language or other documentation required by the agency. Prior to the certification and accreditation process, the designated Authorizing Official, independent from the system owner, typically approves the plan.
Examples of Controls Contained in Rules of Behavior
- Delineate responsibilities, expected use of system, and behavior of all users.
- Describe appropriate limits on interconnections.
- Define service provisions and restoration priorities.
- Describe consequences of behavior not consistent with rules.
- Covers the following topics:
- Work at home
- Dial-in access
- Connection to the Internet
- Use of copyrighted work
- Unofficial use of government equipment
- Assignment and limitations of system privileges and individual accountability
- Password usage
- Searching databases and divulging information.