SYSTEM SECURITY PLAN (SSP)

Transcription

1 NIST CONTROLS BASELINE: CONTROLLED UNCLASSIFIED INFORMATION (CUI) & NON-FEDERAL ORGANIZATION (NFO) SYSTEM SECURITY PLAN (SSP) [Insert Company Name]

2 TABLE OF CONTENTS PREPARED BY & RECORD OF CHANGES 11 PREPARED BY 11 REVISION HISTORY 11 OWNERSHIP & CYBERSECURITY OVERVIEW 12 CONTRACTS CONTAINING CUI 12 CUI OVERVIEW 12 KEY STAKEHOLDERS 12 DOCUMENTATION REPOSITORY 13 DATA PROTECTION CONSIDERATIONS 13 ADDITIONAL COMPLIANCE REQUIREMENTS 13 Statutory Requirements 13 Regulatory Requirements 13 Contractual Requirements 14 CUI OPERATING ENVIRONMENT 15 OPERATING MODEL 15 INTERCONNECTIVITY OVERVIEW 16 IDENTIFICATION & AUTHENTICATION OVERVIEW 16 SYSTEM COMPONENTS & NETWORK BOUNDARIES 16 High-Level Network Diagram 17 Data Flow Diagram 18 ROLES & PRIVILEGES 19 SUPPLY CHAIN OVERVIEW 20 ONGOING MAINTENANCE & SUPPORT PLAN 20 SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) 21 OPERATIONAL PHASE 21 MILESTONES 21 IDENTIFIED DEFICIENCIES & REMEDIATION PLAN 22 NIST CYBERSECURITY CONTROLS 22 CONTROL DEFICIENCIES 22 REMEDIATION PLANS 22 SYSTEM SECURITY PLAN (SSP) APPENDICES 23 APPENDIX A: DATA PROTECTION CONSIDERATIONS 23 A-1: Data Sensitivity 23 A-2: Safety & Criticality 24 A-3: Basic Assurance Requirements 25 A-4: Enhanced Assurance Requirements 25 APPENDIX B: HARDWARE AND SOFTWARE INVENTORY (HSI) 26 B-1: Hardware Asset 26 B-2: Software Asset 26 APPENDIX C: INTERCONNECTIVITY DOCUMENTATION 27 C-2: Necessary Ports, Protocols & Services 27 APPENDIX D: EXTERNAL SYSTEM CONNECTIONS 28 APPENDIX E: ADDITIONAL SECURITY CONSIDERATIONS 29 E-1: Specific Rules of Behavior Requirements 29 E-2: Specific Security Awareness Training Requirements 29 APPENDIX F: CYBERSECURITY ROLES & RESPONSIBILITIES 30 F-1: Information Security Role Categories 30 F-2: Information Security Specialty Areas (Roles) 31 F-3: Information Security Work Roles & Responsibilities 34 System Security Plan (SSP) Page 2 of 142

3 GLOSSARY: ACRONYMS & DEFINITIONS 39 ACRONYMS 39 DEFINITIONS 39 ANNEX 1 NIST CYBERSECURITY CONTROLS 40 NIST APPENDIX D ACCESS CONTROL Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems) Limit system access to the types of transactions and functions that authorized users are permitted to execute. 40 AC-2 Account Management 40 AC-3 Access Enforcement 40 AC-17 Remote Access Control the flow of CUI in accordance with approved authorizations. 41 AC-4 Information Flow Enforcement Separate the duties of individuals to reduce the risk of malevolent activity without collusion. 42 AC-5 Separation of Duties Employ the principle of least privilege, including for specific security functions and privileged accounts. 42 AC-6 Least Privilege 42 AC-6(1) Least Privilege Authorize Access To Security Functions 43 AC-6(5) Least Privilege Privileged Accounts Use non-privileged accounts or roles when accessing non-security functions. 44 AC-6(2) Least Privilege Non-Privileged Access For Non-Security Functions Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 44 AC-6(9) Least Privilege Auditing Use of Privileged Functions 44 AC-6(10) Least Privilege Prohibit Non-Privileged Users From Executing Privileged Functions Limit unsuccessful logon attempts. 45 AC-7 Unsuccessful Logon Attempts Provide privacy and security notices consistent with applicable CUI rules. 46 AC-8 System Use Notification Use session lock with pattern-hiding displays to prevent access and viewing of data after period of inactivity. 46 AC-11 Session Lock 46 AC-11(1) Session Lock Pattern-Hiding Displays Terminate (automatically) a user session after a defined condition. 47 AC-12 Session Termination Monitor and control remote access sessions. 48 AC-17(1) Remote Access Automated Monitoring / Control Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. 48 AC-17(2) Remote Access Protection of Confidentiality / Integrity Using Encryption Route remote access via managed access control points. 49 AC-17(3) Remote Access Managed Access Control Points Authorize remote execution of privileged commands and remote access to security-relevant information. 49 AC-17(4) Remote Access Privileged Commands / Access Authorize wireless access prior to allowing such connections. 50 AC-18 Wireless Access Protect wireless access using authentication and encryption. 50 AC-18(1) Wireless Access Authentication & Encryption Control connection of mobile devices. 51 AC-19 Access Control for Mobile Devices Encrypt CUI on mobile devices and mobile computing platforms. 51 AC-19(5) Access Control for Mobile Devices Full Device / Container-Based Encryption Verify and control/limit connections to and use of external systems. 52 AC-20 Use of External Information Systems 52 AC-20(1) Use of External Information Systems Limits on Authorized Use 52 System Security Plan (SSP) Page 3 of 142

4 Limit use of organizational portable storage devices on external systems. 53 AC-20(2) Use of External Information Systems Portable Storage Devices Control CUI posted or processed on publicly accessible systems. 53 AC-22 Publicly Accessible Content 53 NIST APPENDIX D AWARENESS & TRAINING Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. 55 AT-2 Audit Events 55 AT-3 Content of Audit Records Provide security awareness training on recognizing and reporting potential indicators of insider threat. 56 AT-2(2) Content of Audit Records Additional Audit Information 56 NIST APPENDIX D AUDIT & ACCOUNTABILITY Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. 57 AU-2 Audit Events 57 AU-3 Content of Audit Records 57 AU-3(1) Content of Audit Records Additional Audit Information 58 AU-6 Audit Review, Analysis, and Reporting 58 AU-12 Audit Generation Review and update audited events. 59 AU-2(3) Audit Events Reviews and Updates Alert in the event of an audit process failure. 60 AU-5 Response to Audit Processing Failures Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. 60 AU-6(3) Audit Review, Analysis, and Reporting Correlate Audit Repositories Provide audit reduction and report generation to support on-demand analysis and reporting. 61 AU-7 Audit Reduction and Report Generation Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. 61 AU-8 Time Stamps 61 AU-8(1) Time Stamps Synchronization with Authoritative Time Source Protect audit information and audit tools from unauthorized access, modification, and deletion. 62 AU-9 Protection of Audit Information Limit management of audit functionality to a subset of privileged users. 63 AU-9(4) Protection of Audit Information Access by Subset of Privileged Users 63 NIST APPENDIX D CONFIGURATION MANAGEMENT Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles Establish and enforce security configuration settings for information technology products employed in organizational systems. 64 CM-2 Baseline Configuration 64 CM-6 Configuration Settings 64 CM-8 System Component Inventory 65 CM-8(1) System Component Inventory Updates During Installations / Removals Track, review, approve/disapprove, and audit changes to organizational systems Analyze the security impact of changes prior to implementation Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. 66 CM-3 Configuration Change Control 66 CM-4 Security Impact Analysis 66 System Security Plan (SSP) Page 4 of 142

5 CM-5 Access Restrictions for Change Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. 67 CM-7 Least Functionality Restrict, disable, and prevent the use of nonessential functions, ports, protocols, and services. 68 CM-7(1) Least Functionality Periodic Review 68 CM-7(2) Least Functionality Prevent program execution Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception 69 (whitelisting) policy to allow the execution of authorized software. 69 CM-7(4) Least Functionality Unauthorized Software/ Blacklisting 69 CM-7(5) Least Functionality Authorized Software/ Whitelisting Control and monitor user- installed software. 70 CM-11 User-Installed Software 70 NIST APPENDIX D IDENTIFICATION & AUTHENTICATION Identify system users, processes acting on behalf of users, or devices Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems. 71 IA-2 Identification and Authentication (Organizational Users) 71 IA-5 Authenticator Management Use multifactor 72 authentication for local and network access to privileged accounts and for network access to nonprivileged accounts. 72 IA-2(1) Identification and Authentication (Organizational Users) Network Access to Privileged Accounts 72 IA-2(2) Identification and Authentication (Organizational Users) Network Access to Non- Privileged Accounts 72 IA-2(3) Identification and Authentication (Organizational Users) Local Access to Privileged Accounts Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. 73 IA-2(8) Identification and Authentication (Organizational Users) Network Access to Privileged Accounts-Replay Resistant 73 IA-2(9) Identification and Authentication (Organizational Users) Network Access to Non- Privileged Accounts-Replay Resistant Prevent reuse of identifiers for a defined period Disable identifiers after a defined period of inactivity. 74 IA-4 Identifier Management Enforce a minimum password complexity and change of characters when new passwords are created Prohibit password reuse for a specified number of generations Allow temporary password use for system logons with an immediate change to a permanent password Store and transmit only cryptographically-protected passwords Obscure feedback of authentication information. 75 IA-5(1) Authenticator Management Password-Based Authentication 75 NIST APPENDIX D INCIDENT RESPONSE Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities Track, document, and report incidents to appropriate organizational officials and/or authorities. 76 IR-2 Incident Response Training 76 IR-4 Incident Handling 76 IR-5 Incident Monitoring 77 IR-6 Incident Reporting 77 IR-7 Incident Response Assistance Test the organizational incident response capability. 78 IR-3 Incident Response Testing 78 IR-3(2) Incident Response Testing Coordination with Related Plans 79 System Security Plan (SSP) Page 5 of 142

6 NIST APPENDIX D MAINTENANCE Perform maintenance on organizational systems Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. 80 MA-2 Controlled Maintenance 80 MA-3 Maintenance Tools 80 MA-3(1) Maintenance Tools Inspect Tools 81 MA-3(2) Maintenance Tools Inspect media Ensure equipment removed for off-site maintenance is sanitized of any CUI. 82 MA-2 Controlled Maintenance Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. 82 MA-3(2) Maintenance Tools Inspect media Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. 83 MA-4 Nonlocal Maintenance Supervise the maintenance activities of maintenance personnel without required access authorization. 83 MA-5 Maintenance Personnel 83 NIST APPENDIX D MEDIA PROTECTION Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital Limit access to CUI on system media to authorized users Sanitize or destroy system media containing CUI before disposal or release for reuse. 84 MP-2 Media Access 84 MP-4 Media Storage 84 MP-6 Media Sanitization Mark media with necessary CUI markings and distribution limitations. 85 MP-3 Media Marking Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 86 MP-5 Media Transport Implement cryptographic mechanisms to protect the confidentiality of information stored on digital media during transport outside of controlled areas unless otherwise protected by alternative physical safeguards. 86 MP-5(4) Media Transport Cryptographic Protection Control the use of removable media on system components. 87 MP-7 Media Use Prohibit the use of portable storage devices when such devices have no identifiable owner. 87 MP-7(1) Media Use Prohibit Use Without Owner Protect the confidentiality of backup CUI at storage locations. 88 CP-9 System Backup 88 NIST APPENDIX D PERSONNEL SECURITY Screen individuals prior to authorizing access to organizational systems containing CUI Ensure that CUI and organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. 89 PS-3 Personnel Screening 89 PS-4 Personnel Termination 89 PS-5 Personnel Transfer 90 NIST APPENDIX D PHYSICAL PROTECTION Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals Protect and monitor the physical facility and support infrastructure for organizational systems. 91 PE-2 Physical Access Authorizations 91 PE-5 Access Control for Output Devices 91 PE-6 Monitoring Physical Access Escort visitors and monitor visitor activity Maintain audit logs of physical access. 92 System Security Plan (SSP) Page 6 of 142

7 Control and manage physical access devices. 92 PE-3 Physical Access Control Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites). 93 PE-17 Alternate Work Site 93 NIST APPENDIX D RISK ASSESSMENT Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. 94 RA-3 Risk Assessment Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. 94 RA-5 Vulnerability Scanning 94 RA-5(5) Vulnerability Scanning Privileged Access Remediate vulnerabilities in accordance with assessments of risk. 95 RA-5 Vulnerability Scanning 95 NIST APPENDIX D SECURITY ASSESSMENT Periodically assess the security controls in organizational systems to determine if the controls are effective in their application Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. 97 CA-2 Security Assessments 97 CA-5 Plan of Action and Milestones 97 CA-7 Continuous Monitoring 98 PL-2 System Security Plan 98 NIST APPENDIX D SYSTEM & COMMUNICATIONS PROTECTION Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. 100 SC-7 Boundary Protection 100 SA-8 Security Engineering Principles Separate user functionality from system management functionality. 101 SC-2 Application Partitioning Prevent unauthorized and unintended information transfer via shared system resources. 101 SC-4 Information in Shared Resources Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. 102 SC-7 Boundary Protection Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). 102 SC-7(5) Boundary Protection Deny by Default / Allow by Exception Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e. split tunneling). 103 SC-7(7) Boundary Protection Prevent Split Tunneling for Remote Devices Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. 103 SC-8 Transmission Confidentiality and Integrity 103 SC-8(1) Transmission Confidentiality and Integrity Cryptographic or Alternate Physical Protection Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. 104 System Security Plan (SSP) Page 7 of 142

8 SC-10 Network Disconnect Establish and manage cryptographic keys for cryptography employed in organizational systems. 105 SC-12 Cryptographic Key Establishment and Management Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. 105 SC-13 Cryptographic Protection Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. 106 SC-15 Collaborative Computing Devices Control and monitor the use of mobile code. 106 SC-18 Mobile Code Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. 107 SC-19 Voice over Internet Protocol Protect the authenticity of communications sessions. 107 SC-23 Session Authenticity Protect the confidentiality of CUI at rest. 108 SC-28 Protection of Information at Rest 108 NIST APPENDIX D SYSTEM & INFORMATION INTEGRITY Identify, report, and correct information and system flaws in a timely manner Provide protection from malicious code at appropriate locations within organizational systems Monitor system security alerts and advisories and take appropriate actions in response. 109 SI-2 Flaw Remediation 109 SI-3 Malicious Code Protection 109 SI-5 Security Alerts, Advisories & Directives Update malicious code protection mechanisms when new releases are available Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. 110 SI-3 Malicious Code Protection Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 111 SI-4 System Monitoring 111 SI-4(4) System Monitoring Inbound and Outbound Communications Traffic Identify unauthorized use of organizational systems. 112 SI-4 System Monitoring 112 NON-FEDERAL ORGANIZATION (NFO) CONTROLS 113 NIST Appendix E NFO Controls 113 AC-1 Access Control Policy & Procedures 113 AT-1 Security Awareness & Training Policy & Procedures 113 AT-4 Security Training Records 114 AU-1 Audit & Accountability Policy & Procedures 114 CA-1 Security Assessment & Authorization Policy & Procedures 114 CA-2(1) Security Assessments Independent Assessors 115 CA-3 System Interconnections 115 CA-3(5) System Interconnections Restrictions on External System Connections 116 CA-7(1) Continuous Monitoring Independent Assessment 116 CA-9 Internal System Connections 117 CM-1 Configuration Management Policy & Procedures 117 CM-2(1) Baseline Configuration Reviews & Updates 118 CM-2(3) Baseline Configuration Retention of Previous Configurations 118 CM-2(7) Baseline Configuration Configure Systems, Components or Devices for High-Risk Areas 119 CM-3(2) Configuration Change Control Test / Validate / Document Changes 119 CM-8(5) System Component Inventory No Duplicate Accounting of Components 120 CM-9 Configuration Management Plan 120 IA-1 Identification & Authentication Policy & Procedures 121 IR-1 Incident Response Policy & Procedures 121 IR-8 Incident Response Plan 121 MA-1 System Maintenance Policy & Procedures 122 MA-4(2) Non-Local Maintenance Document Non-Local Maintenance 122 System Security Plan (SSP) Page 8 of 142

9 MP-1 Media Protection Policy & Procedures 123 PE-1 Physical & Environmental Protection Policy & Procedures 123 PE-4 Access Control for Transmission Medium 124 PE-6(1) Monitoring Physical Access Intrusion Alarms / Surveillance Equipment 124 PE-8 Visitor Access Records 125 PE-16 Delivery & Removal 125 PL-1 Security Planning Policy & Procedures 126 PL-2(3) System Security Plan Plan / Coordinate with Other Organizational Entities 126 PL-4 Rules of Behavior 127 PL-4(1) Rules of Behavior Social Media & Networking Restrictions 127 PL-8 Information Security Architecture 128 PS-1 Personnel Security Policy & Procedures 128 PS-6 Access Agreements 128 PS-7 Third-Party Personnel Security 129 PS-8 Personnel Sanctions 129 RA-1 Risk Assessment Policy & Procedures 130 RA-5(1) Vulnerability Scanning Update Tool Capability 130 RA-5(2) Vulnerability Scanning Update by Frequency / Prior to New Scan / When Identified 131 SA-1 System and Services Acquisition Policy and Procedures 131 SA-2 Allocation of Resources 132 SA-3 System Development Life Cycle 132 SA-4 Acquisition Process 133 SA-4(1) Acquisition Process Functional Properties of Security Controls 133 SA-4(2) Acquisition Process Design / Implementation Information for Security Controls 134 SA-4(9) Acquisition Process Functions / Ports / Protocols / Services In Use 134 SA-4(10) Acquisition Process Use of Approved PIV Products 135 SA-5 System Documentation 135 SA-9 External System Services 135 SA-9(2) External System Services Identification of Functions / Ports / Protocols / Services 136 SA-10 Developer Configuration Management 136 SA-11Developer Security Testing and Evaluation 137 SC-1 System and Communications Protection Policy and Procedures 137 SC-7(3) Boundary Protection Access Points 138 SC-7(4) Boundary Protection External Telecommunications Services 138 SC-20 Secure Name /Address Resolution Service (Authoritative Source) 139 SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) 139 SC-22 Architecture and Provisioning for Name/Address Resolution Service 140 SC-39 Process Isolation 140 SI-1 System and Information Integrity Policy and Procedures 141 SI-4(5) System Monitoring System-Generated Alerts 141 SI-16 Memory Protection 142 System Security Plan (SSP) Page 9 of 142

10 INSTRUCTION ON FILLING OUT THE SSP TEMPLATE It is important to understand that there is no officially-sanctioned format for a System Security Plan (SSP) to meet NIST compliance requirements. This template is based on SSP requirements that are used for other US government compliance requirements for SSPs, but it is tailored to document the entire Controlled Unclassified Information (CUI) environment for an organization. A key concept to keep in mind with the SSP is that it should be complete enough for a reasonable person to pick up, read through and understand the following information: What CUI is in regards to the company s operations. Where CUI is stored, transmitted or processed. What controls are in place to protect CUI as it is stored, transmitted and processed. Any deficiencies that exist in protecting CUI, if applicable. Remediation plans address known deficiencies, if applicable. Steps to fill out the SSP include: Step 1 Read through the SSP template to get an understanding of the content required to fill out the template. Step 2 Start filling out the information you have available, using the examples as guidance, where applicable. Step 3 Work with stakeholders to fill in missing information. Step 4 Work through Annex 1 to provide evidence of how each of the applicable CUI and Non-Federal Organization (NFO) controls are being addressed. Step 5 For any CUI or NFO control that is not addressed, add an entry in the accompanying Plan of Action & Milestones (POA&M) template Documentation Notes: Text in BLACK are standard template text that are expected to be included in the SSP and should not be deleted unless necessary. Text in RED are helpful instructions that need to be deleted as sections are completed. Text in BLUE are examples that need to be deleted as sections are completed. System Security Plan (SSP) Page 10 of 142

11 PREPARED BY & RECORD OF CHANGES PREPARED BY [Name] [ Address] [Phone #] [Department] REVISION HISTORY Version Date Pages Affected Description All Initial publish of SSP. System Security Plan (SSP) Page 11 of 142

12 OWNERSHIP & CYBERSECURITY OVERVIEW The objective of the System Security Plan (SSP) document is to have a simple, easy-to-reference document that covers pertinent information about the Controlled Unclassified Information (CUI) environment. This is a living document that is meant to be updated as conditions change. The goal of this document is simple - anyone not familiar with the CUI environment should be able to read it and gain a fundamental understanding of the systems involved, the risks, and the security controls required to maintain an acceptable level of security. Essentially, this document provides a centralized repository for knowledge that is specific to the CUI environment and its applicable security controls. The SSP reflects input from those responsible for the systems that make up the CUI environment, including information owners, system operators, and other stakeholders. CONTRACTS CONTAINING CUI [list the applicable contracts that contain CUI protection requirements] CUI OVERVIEW [provide a descriptive narrative of how CUI is defined by the applicable contract(s)] Example: Contract XXXXXX defines CUI as schematic diagrams that are pertinent to the XYZ project. KEY STAKEHOLDERS CUI protection is a combined effort from the following stakeholders: Stakeholder 1, Position Stakeholder 2, Position Stakeholder 3, Position Example: It is sometimes worthwhile to include an organization chart, since this can assist with problem escalations. CIO Team 1 Team 2 Networking Technology Technology Infrastructure System Security Plan (SSP) Page 12 of 142

13 DOCUMENTATION REPOSITORY Information security-related project and system documentation can be found at: [add URL for network share, etc.] DATA PROTECTION CONSIDERATIONS The assets within the CUI environment are assessed, based on data sensitivity and mission criticality, in order to ensure the appropriate level of protection is applied. Appendix A (Data Protection Considerations) provides the methodology for how data is classified in terms of data sensitivity and criticality to the CUI environment. ADDITIONAL COMPLIANCE REQUIREMENTS In addition to CUI protection requirements from the Defense Federal Acquisition Regulation Supplement (DFARS ), the following compliance requirements are also applicable, due to overlapping requirements for cybersecurity and privacy controls: STATUTORY REQUIREMENTS [fill-in applicable statutory requirements] Example statutory requirements include: Cable Communications Policy Act (CCPA) Children s Internet Protection Act (CIPA) Children s Online Privacy Protection Act (COPPA) Computer Fraud and Abuse Act (CFAA) Consumer Credit Reporting Reform Act (CCRRA) Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) Electronic Communications Privacy Act (ECPA) Electronic Freedom of Information Act (E-FOIA) Electronic Funds Transfer Act (EFTA) Fair & Accurate Credit Transactions Act (FACTA) Fair Credit Reporting Act (FCRA) Family Education Rights and Privacy Act (FERPA) Federal Information Security Management Act (FISMA) Federal Trade Commission Act (FTCA) Gramm Leach Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Privacy Act Right to Financial Privacy Act (RFPA) Sarbanes Oxley Act (SOX) Telecommunications Act Telephone Consumer Protection Act (TCPA) Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) Video Privacy Protection Act (VPPA) US State - Massachusetts 201 CMR US State - Oregon Identity Theft Protection Act (ORS 646A) International - United Kingdom Data Protection Act (UK DPA) REGULATORY REQUIREMENTS [fill-in applicable regulatory requirements] Example regulatory requirements include: Federal Acquisition Regulation (FAR ) European Union General Data Protection Regulation (EU GDPR) Financial Industry Regulatory Authority (FINRA) System Security Plan (SSP) Page 13 of 142

14 CUI OPERATING ENVIRONMENT OPERATING MODEL Operating Environment Where CUI Exists (check all that apply) Public Cloud Cloud services and infrastructure supporting multiple organizations and clients Private Cloud Cloud services and infrastructure dedicated to a specific organization and no other clients Data Center Company-owned & operated datacenter. Hybrid Explain: (e.g., cloud services and infrastructure that provides private cloud for secured applications and data where required and public cloud for other applications and data) Dispersed Endpoints CUI can be found on workstations and other endpoints. Other Explain: High-Level Overview of Where CUI Is Stored, Transmitted or Processed (check all that apply) End User Workstations End user workstations (e.g., desktops & laptops) Mobile Devices Mobile devices (e.g., tablets or smartphones) Industrial Control System (ICS) Devices that control manufacturing processes Internal application/service Internal application (e.g., ERM, SAP, ticket system, change control, etc.) Software as a Service (SaaS) Web-based applications (e.g., Google Apps, Salesforce, GoToMeeting, WebEx) Platform as a Service (PaaS) Web-based major applications (e.g., Azure Cloud Services) Infrastructure as a Service (IaaS) Cloud environments (e.g., Azure, AWS, Rackspace) Other Explain: Example: System Security Plan (SSP) Page 15 of 142

15 INTERCONNECTIVITY OVERVIEW [provide a descriptive narrative how systems within the CUI environment communicate is it internal only? Does it communicate outside of the company s network?] Appendix B (Hardware and Software Inventory), provides a breakdown of assets that comprise the CUI environment in both the production and development instances. Appendix C (Interconnectivity Documentation), provides a detailed description of ports, protocols and services, in use within the CUI environment. IDENTIFICATION & AUTHENTICATION OVERVIEW [provide a descriptive narrative of how the system handles identification & authentication] Example: Vendor accounts will be created in the ACME instance and pushed to the XXXXX instance. Only one account per vendor will be allowed. The vendor account will be inactivated when the vendor submits their documentation. The two instances of XXXXX will use different methods for user identification and authentication, since the XXXXX-hosted instance will be externally accessible to vendors. ACME Instance User Names: AD integration Passwords: AD integration Account Reviews: Tied into AD Account Deactivation: Tied into AD XXXXX Instance User Names: o ACME Users: Ping Federate (AD integration) o Non-ACME Users: Local XXXXX account (hosted instance only) Passwords: o ACME Users: Ping Federate (AD integration) o Non-ACME Users: TBD Account Reviews: o ACME Users: Ping Federate (AD integration) o Non-ACME Users: TBD Account Deactivation: Tied into AD o ACME Users: Ping Federate (AD integration) o Non-ACME Users: TBD SYSTEM COMPONENTS & NETWORK BOUNDARIES [provide a descriptive narrative of what makes up the CUI operating environment, including defining the assets involved and the system boundaries] Example: XYZ is designed with two distinct instances, running in two different environments: Internal XXXXX instance that is housed in ACME s datacenter (Datacenter 1); and Hosted XXXXX instance in Microsoft s Azure private cloud. System Security Plan (SSP) Page 16 of 142

16 HIGH-LEVEL NETWORK DIAGRAM [add network diagram here] Instruction: Useful tools to create a high-level network diagram include: - Microsoft Visio (network diagram templates) or - Department of Homeland Security s free tool, the Cyber Security Evaluation Tool (CSET) - Provide a diagram that portrays the system boundaries and all applicable connections and components, including the means for monitoring and controlling communications at the external boundary and at key internal boundaries within the system. Address all components and managed interfaces of the information system authorized for operation (e.g., routers, firewalls). Formal names of components as they are known by the project team in functional specifications, configuration guides, other documents and live configurations shall be named on the diagram and described. Components identified in the Boundary diagram should be consistent with the Network diagram and the inventory(ies). Provide a key to symbols used. Ensure consistency between the boundary and network diagrams and respective descriptions If necessary, include multiple network diagrams. Delete this and all other instructions from your final version of this document. System Security Plan (SSP) Page 17 of 142

17 ROLES & PRIVILEGES Cybersecurity roles and responsibilities are based on the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, as described in NIST Special Publication Appendix F (Cybersecurity Roles and Responsibilities) lists the types of roles and responsibilities that are applicable to the CUI environment. [specific to handling CUI, identify the roles and associated privileges of those roles] Role Internal or External Privileged (P) Non-Privileged (NP) or No Logical Access (NLA) Authorized Privileges Functions Performed Example: Role Internal or External Privileged (P) Non-Privileged (NP) or No Logical Access (NLA) Authorized Privileges Functions Performed UNIX sysadmin Internal P Full Access (root) Add/remove users and hardware, install and configure software, OS updates, patches and hotfixes, perform backups Client administrator Internal NP Portal administration Add/remote client users. Create, modify and delete client applications Program director Internal NLA None Reviews, approves and enforces policy Instruction: This table must include all roles including systems administrators and database administrators as a role types. This includes web server administrators, network administrators and firewall administrators if these individuals have the ability to configure a device or host that could impact CUI. This table must also include whether these roles are fulfilled by foreign nationals or roles that exist outside the United States, since that may impact compliance obligations. Delete this and all other instructions from your final version of this document. System Security Plan (SSP) Page 19 of 142

18 SUPPLY CHAIN OVERVIEW [provide a descriptive narrative of how vendors are involved in supporting how CUI is stored, processed or transmitted, if applicable] Example: There is currently only one (1) vendor involved in the supply chain for the CUI environment: Vendor: VENDOR1 Contract #: (123) Support Contact: Jim Somebody Services Purchased: Platinum Support (contract # ) 24x7x365 support ONGOING MAINTENANCE & SUPPORT PLAN [provide a descriptive narrative of how maintenance operations are conducted. This includes patch management and vulnerability remediation from ongoing vulnerability management scans] Example: VENDOR1 is currently providing Professional Services (PS) support for the initial configuration and integration of the tool. Once Technology Infrastructure has its XYZ administrator fully integrated, the amount of external support from XYZ, will decrease. Professional Services (PS) engagements will be on a case-by-case basis to augment CS Governance s organic capabilities. XYZ System Asset Owner: John Doe, SOC Director & contact # Asset Custodian(s): Primary XXXXX, Role & contact # Secondary XXXXX, Role & contact # Patching is conducted in accordance with the Vulnerability & Patch Management Program (VPMP). System Security Plan (SSP) Page 20 of 142

19 SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) OPERATIONAL PHASE The CUI environment is currently: Operational Status Operational CUI is being used by systems in a production environment. Under Development CUI is being used by systems in a developmental / testing environment. Major Modification CUI systems are undergoing a major change, development, or transition. Other Explain: The dates planned and dates reached for each phase of the System Development Lifecycle (SDLC) and Control Validation Testing (CVT) milestones: Traditional SDLC Phase Date Planned Date Reached Initiate?? Develop / Design / Acquire?? Implement?? Operate & Maintain?? Dispose?? MILESTONES [Enter a narrative about the planned milestones planned for the life of the systems that make up the CUI environment] Example: XYZ is currently in the operate phase. Updates and changes to XYZ is expected throughout the fiscal year. There are currently no envisioned alterations to XYZ that would severely affect its operational status during updates and changes to the system environment. XYZ will be undergoing major modification during the course of FY2018, including network engineering, security engineering, and systems engineering INSTRUCTIONS: All milestones about operational status should be stated. If the system is about to go through a major revision, all milestones along the way should be listed as well. Delete this and all other instructions from your final version of this document. System Security Plan (SSP) Page 21 of 142

20 IDENTIFIED DEFICIENCIES & REMEDIATION PLAN NIST CYBERSECURITY CONTROLS The applicable cybersecurity controls from NIST are detailed in Annex 1 (NIST Cybersecurity Controls). 1. Access Control 2. Awareness & Training 3. Audit & Accountability 4. Configuration Management 5. Identification & Authentication 6. Incident Response 7. Maintenance 8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System & Communications Protection 14. System & Information Integrity 15. Non-Federal Organization (NFO) controls from Appendix E CONTROL DEFICIENCIES The CUI environment has the following control deficiencies identified: Deficiency 1 Deficiency 2 Deficiency 3 INSTRUCTIONS: Describe the risks in accordance with the company s Risk Management Program (RMP) that details how risks are categorized and ranked. These risks should match up to what is in the Plan of Actions & Milestones (POA&M) and have a corresponding risk assessment. Delete this and all other instructions from your final version of this document. REMEDIATION PLANS The following control deficiencies have been identified and the associated remediation actions include: Deficiency 1 o Remediation plan details Deficiency 2 o Remediation plan details Deficiency 3 o Remediation plan details INSTRUCTIONS: All of the control deficiencies identified in the control deficiencies section need to have a viable remediation plan associated with it. Delete this and all other instructions from your final version of this document. System Security Plan (SSP) Page 22 of 142

21 APPENDIX C: INTERCONNECTIVITY DOCUMENTATION Instruction: Document the necessary ports, protocols and services that are necessary for the CUI environment to operate. Delete this and all other instructions from your final version of this document. C-2: NECESSARY PORTS, PROTOCOLS & SERVICES Source IP Destination IP Port Protocol Service Description Example: Source IP Destination IP Port Protocol Service Description TCP SQL SQL database communications TCP LDAP AD authentication TCP SMTP Mail exchange TCP SQL SQL database communications TCP LDAP AD authentication TCP SMTP Mail exchange TBD TBD TBD Hosted XYZ connection - production TBD TBD TBD Hosted XYZ connection - development Any Internal TCP HTTPS User interface production Any Internal TCP HTTPS User interface - development System Security Plan (SSP) Page 27 of 142

22 APPENDIX D: EXTERNAL SYSTEM CONNECTIONS Instruction: List all interconnected systems. Provide the IP address and interface identifier (eth0, eth1, eth2) for the system that provides the connection. Name the external organization and the IP address of the external system. Indicate how the connection is being secured. For Connection Security indicate how the connection is being secured. For Data Direction, indicate which direction the packets are flowing. For Information Being Transmitted, describe what type of data is being transmitted. If a dedicated telecom line is used, indicate the circuit number. Add additional rows as needed. Delete this and all other instructions from your final version of this document. IP Address and Interface <SP IP Address/Interface> <SP IP Address/Interface> <SP IP Address/Interface> <SP IP Address/Interface> <SP IP Address/Interface> <SP IP Address/Interface> External Organization Name and IP Address of System <External Org/IP> <External Org/IP> <External Org/IP> <External Org/IP> <External Org/IP> <External Org/IP> External Point of Contact and Phone Number <External Org POC> <Phone > <External Org POC> <Phone > <External Org POC> <Phone > <External Org POC> <Phone > <External Org POC> <Phone > <External Org POC> <Phone > Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer, etc.) <Enter Connection Security> <Enter Connection Security> <Enter Connection Security> <Enter Connection Security> <Enter Connection Security> <Enter Connection Security> Data Direction (incoming, outgoing, or both) Choose an item. Choose an item. Choose an item. Choose an item. Choose an item. Choose an item. Information Being Transmitted <Information Transmitted> <Information Transmitted> <Information Transmitted> <Information Transmitted> <Information Transmitted> <Information Transmitted> Port or Circuit Numbers <Port/Circuit Numbers> <Port/Circuit Numbers> <Port/Circuit Numbers> <Port/Circuit Numbers> <Port/Circuit Numbers> <Port/Circuit Numbers> System Security Plan (SSP) Page 28 of 142

23 F-3: INFORMATION SECURITY WORK ROLES & RESPONSIBILITIES Work roles are the most detailed groupings of cybersecurity and related work which include a list of attributes required to perform that role in the form of Knowledge, Skills, and Abilities (KSAs) and tasks performed in that role. Work being performed in a job or position is described by selecting one or more work roles from the NICE Framework relevant to that job or position, in support of mission or business processes. To aid in the organization and communication about cybersecurity responsibilities, work roles are grouped into specific classes of categories and specialty areas. Category Specialty Area Work Role Work Role ID Work Role Description Securely Provision (SP) Risk Management (RSK) Software Development (DEV) Systems Architecture (ARC) Technology R&D (TRD) Systems Requirements Planning (SRP) Test and Evaluation (TST) Authorizing Official/Designating Representative Security Control Assessor Software Developer Secure Software Assessor Enterprise Architect Security Architect Research & Development Specialist Systems Requirements Planner System Testing and Evaluation Specialist Systems Security Developer SP-RSK-001 SP-RSK-002 SP-DEV-001 SP-DEV-002 SP-ARC-001 SP-ARC-002 SP-TRD-001 SP-SRP-001 SP-TST-001 SP-SYS-001 Senior official or executive with the authority to formally assume responsibility for operating an system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations. Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP ). Develops, creates, maintains, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs. Analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results. Develops and maintains business, systems, and information processes to support enterprise mission needs; develops information technology (IT) rules and requirements that describe baseline and target architectures. Monitors and ensures that the stakeholder security requirements necessary to protect the organization s mission and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting systems supporting those missions and business processes. Conducts software and systems engineering and software systems research to develop new capabilities, ensuring cybersecurity is fully integrated. Conducts comprehensive technology research to evaluate potential vulnerabilities in cyberspace systems. Consults with customers to evaluate functional requirements and translate functional requirements into technical solutions. Plans, prepares, and executes tests of systems to evaluate results against specifications and requirements as well as analyze/report test results. Designs, develops, tests, and evaluates system security throughout the systems development life cycle. System Security Plan (SSP) Page 34 of 142

24 ANNEX 1 NIST CYBERSECURITY CONTROLS The SSP consists of the applicable NIST rev4 controls, as mapped in Appendix D (CUI controls) and Appendix E (NFO controls) of NIST rev1. NIST APPENDIX D ACCESS CONTROL These controls are associated with access control: LIMIT SYSTEM ACCESS TO AUTHORIZED USERS, PROCESSES ACTING ON BEHALF OF AUTHORIZED USERS, OR DEVICES (INCLUDING OTHER SYSTEMS) LIMIT SYSTEM ACCESS TO THE TYPES OF TRANSACTIONS AND FUNCTIONS THAT AUTHORIZED USERS ARE PERMITTED TO EXECUTE. AC-2 ACCOUNT MANAGEMENT Summary of Control Implementation Implementation Status (check all that apply): Implemented (internally controlled) Implemented (outsourced execution of control) Partially Implemented (Identified in POA&M) Planned (Identified in POA&M) Alternative Implementation (Compensating Controls) Not applicable Process Owner: [name of the individual or team accountable for the procedure being performed] Process Operator: [name of the individual or team responsible to perform the procedure s tasks] Occurrence: [how often the procedure need is performed] Location of Additional Documentation: [location where additional documentation can be found, e.g., policies, standards, procedures and other evidence] Technology in Use: [if applicable, the name of the application/system/service used to perform the procedure] Description of Control Implementation: [describe the solution and how it is implemented] AC-3 ACCESS ENFORCEMENT Summary of Control Implementation Implementation Status (check all that apply): Implemented (internally controlled) Implemented (outsourced execution of control) Partially Implemented (Identified in POA&M) Planned (Identified in POA&M) Alternative Implementation (Compensating Controls) Not applicable Process Owner: [name of the individual or team accountable for the procedure being performed] Process Operator: [name of the individual or team responsible to perform the procedure s tasks] Occurrence: [how often the procedure need is performed] Location of Additional Documentation: [location where additional documentation can be found, e.g., policies, standards, procedures and other evidence] System Security Plan (SSP) Page 40 of 142