System Security Plan
Prepared by
Identification of Organization that Prepared this Document
|
|
Organization Name
|
.
|
Street Address
|
|
Suite/Room/Building
|
|
City, State Zip
|
|
Prepared for
Template Revision History
Date
|
Description
|
|
Original publication
|
10/21/2016
|
Removed tables in Sec 15.12 FedRAMP Laws and Regulations
Removed revision history tables in all of Sec 15
Removed Acronyms - see FedRAMP Master Acronyms and Glossary resource document
Added PTA to Sec 15.4 PTA and PIA
Added E-Authentication to Sec 15.3
Added FIPs to Sec 15.10 FIPS 199
Changed Inventory instruction and guidance Section 10 and Attachment 13
Removed chapter numbers from Attachments
Removed 3 questions from Sec 2.3 E-Authentication Determination
|
6/6/2017
|
Updated logo
|
8/28/2018
|
Revised controls for language consistency, updated section 2.3 and Attachment 3, added guidance to SA -9, updated requirements in RA-5
|
Document Revision History
Date
|
Description
|
Version
|
Author
|
|
|
|
|
|
|
|
|
|
|
|
|
How to contact us
For questions about FedRAMP, or for technical questions about this document including how to use it, contact info@FedRAMP.gov
For more information about the FedRAMP project, see www.FedRAMP.gov
Instruction: The System Security Plan is the main document in which the Cloud Service Provider (CSP) describes all the security controls in use on the information system and their implementation.
This document is released in template format. Once populated with content, this document will include detailed information about service provider information security controls.
This document is intended to be used by service providers who are applying for a Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) or an Agency Authorization to Operate (ATO) through the Federal Risk and Authorization Management Program (FedRAMP).
In the sections that follow, describe the information security control as it is implemented on the system. All controls originate from a system or from a business process. It is important to describe where the control originates from so that it is clear whose responsibility it is to implement, manage and monitor the control. In some cases, the responsibility is shared by a CSP and by the customer. Use the definitions in the table that follows to indicate where each security control originates from.
Note that “-1” Controls (AC-1, AU-1, SC-1, etc.)* cannot be inherited and must be described in some way by the service provider.
*Access Control (AC), Audit and Accountability (AU), System and Communications Protection (SC)
Throughout this SSP, policies and procedures must be explicitly referenced (title and date or version) so that it is clear which document is being referred to. Section numbers or similar mechanisms should allow the reviewer to easily find the reference.
For System as a Service (SaaS) and Platform as a Service (PaaS) systems that are inheriting controls from an Infrastructure as a Service (IaaS) (or anything lower in the stack), the “inherited” check box must be checked and the implementation description must simply say “inherited.” FedRAMP reviewers will determine whether the control-set is appropriate or not.
In Section 13, the National Institute of Standards and Technology (NIST) term "organization defined" must be interpreted as being the CSP's responsibility unless otherwise indicated. In some cases, the JAB has chosen to define or provide parameters, in others they have left the decision up to the CSP.
Delete this instruction from your final version of this document.
Share with your friends: |