CA.L2-3.12.4  

Reference: CMMC v2.13

Family: CA

Level Introduced: 2

Title: System Security Plan

Practice:
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Further Discussion:
A system security plan (SSP) is a document that outlines how an organization implements its security requirements. OSAs must have an SSP in place at the time of assessment to describe each information system within the CMMC Assessment Scope. The absence of an up-to-date SSP at the time of the assessment would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012. OSAs are free to choose the format of their SSP. At a minimum, an SSP must include:
• Description of the CMMC Assessment Scope;
• CMMC Assessment Scope Description: high-level description of the assets within the assessment scope186;
• Description of the Environment of Operation: physical surroundings in which an information system processes, stores, and transmits information;
• Identified and Approved Security Requirements: requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted;
• Implementation Method for Security Requirements: description of how the identified and approved security requirements are implemented with the system or environment;
• Connections and Relationships to Other Systems and Networks: description of related, dependent, and interconnected systems; and
• Defined Frequency of Updates: at least annually.

In addition to the requirements above, an SSP often includes:
• general information system description: technical and functional description;
• design philosophies: defense-in-depth strategies and allowed interfaces and network protocols; and
• roles and responsibilities: description of the roles and responsibilities for key personnel, which may include the system owner, system custodian, authorizing officials, and other stakeholders

This requirement, CA.L2-3.12.4, which requires developing, documenting, and updating system security plans, promotes effective information security within organizational systems required by SC.L2-3.13.2, as well as other system and communications protection requirements.

Example
You are in charge of system security. You develop an SSP and have senior leadership formally approve the document [a]. The SSP explains how your organization handles CUI and defines how that data is stored, transmitted, and protected [d,e]. The criteria outlined in the SSP is used to guide configuration of the network and other information resources to meet your company’s goals. Knowing that it is important to keep the SSP current, you establish a policy that requires a formal review and update of the SSP each year [g,h].

Potential Assessment Considerations
• Do mechanisms exist to develop and periodically update an SSP [a,g]?
• Are security requirements identified and approved by the designated authority as non-applicable documented [d]?

Source: CMMC v2.13