System Security Plan (SSP)
The System Security Plan (SSP) is used by both the Federal (NIACAP) and Intelligence Systems (DCID 6/3) C&A processes.
In the Federal C&A process, NIST Special Publication 800-18 states:
The objective of system security planning is to improve protection of information technology (IT) resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a System Security Plan (SSP). The completion of SSPs is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources", Appendix III, "Security of Federal Automated Information Resources'", and Public Law 100-235, "Computer Security Act of 1987".
The SSP contains the following information:
- System Identification
- Management Controls
- Operational Controls
- Technical Controls
For Intelligence Systems, the Director of Central Intelligence Directive 6/3 (DCID 6/3) provides uniform policy guidance and requirements for ensuring adequate protection of certain categories of intelligence information that is stored or processed on an information system. DCID 6/3 requires the completion of a SSP in order to describe the planned operating conditions of the system and the expected residual risk of operating the system.
The following list is a suggested outline for a DCID 6/3 SSP:
- Introduction
- Secure Facility Description
- System Description
- System Hardware
- System Software
- Data Storage Media
- Security Requirements
- Security Awareness Program
- Interconnection Security Agreement
- Memorandum of Agreement/Understanding
- Exceptions
- Glossary of Terms
The organization of the DCID 6/3 SSP is at the discretion of the Designated Approval Authority (DAA). In some cases, required information may be located in associated documents referred to in the SSP.
With experience in all aspects of C&A requirements, CygnaCom Solutions can assist organizations with the development of SSPs.