Owners of Agency-owned mission-critical information resources shall develop and submit a system security plan in accordance with NIST SP 800-18 that: (a) defines the authorization boundary of the information resource; (b) describes the function, operational context and environment, and security categorization of the information resource; (c) identifies relationships and connections to other information resources; (d) describes the unique resource-specific security controls in place or planned for the information resource that exceed the common security controls applied to all Agency information resources.
The system security plan shall be approved by the chief information security officer and maintained on file for the lifespan of the information resource.
Management does not have a documented security plan.
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization’s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
The organization has a broad system security plan in place and reviews it annually for appropriateness.
The state organization develops and implements a security plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within the organization review and approve the plan.
Obtain security planning policy; procedures addressing security plan development and implementation; NIST Special Publication 800-18; security plan for the information system; other relevant documents or records and ascertain if :
(I)the organization develops and implements a security plan for the information system.
(ii)the security plan provides an overview of the security requirements for the information system and a description of the security controls planned or in place for meeting the security requirements.
(iii)the organization defines in the security plan, explicitly or by reference, the values for all organization-defined parameters (i.e., assignment and selection operations) in applicable security controls and control enhancements.
(iv)the security plan development is consistent with NIST Special Publication 800-18.
(v)the security plan is consistent with the organization’s information system architecture and information security architecture.
(vi)designated organizational officials review and approve the security plan.