141765950HUD System Security Plan Template v.1P 20090518

SYSTEM SECURITY PLAN
TEMPLATE
“Enter Entity Name Here”
SYSTEM SECURITY PLAN TEMPLATE

Version 1.0
“Date XX/XX/XXXX”
[SYSTEM NAME]
[Organization]
[DATE PREPARED]
Prepared by:
Preparing Organization
TABLE OF CONTENTS
SYSTEM SECURITY PLAN REVIEW/APPROVAL SHEET__________________________________iii
SYSTEM SECURITY PLAN REVIEW SHEET___________________________________________iv
SYSTEM SECURITY PLAN CHANGE INFORMATION PAGE_____________________________v
A1 SYSTEM IDENTIFICATION__________________________________________________1
A1.1 System Name/Title____________________________________________________________1
A1.2 Responsible Organization______________________________________________________1
A1.3 Information Contact(s)_________________________________________________________1
A1.4 Assignment of Security Responsibility____________________________________________2
A2 OPERATIONAL STATUS____________________________________________________2
A3 GENERAL DESCRIPTION/PURPOSE_________________________________________3
A4 SYSTEM ENVIRONMENT___________________________________________________3
A5 SYSTEM INTERCONNECTION/INFORMATION SHARING_____________________4
A6 SENSITIVITY OF INFORMATION HANDLED__________________________________5
A6.1 Applicable Laws or Regulations Affecting the System________________________________6
A6.2 General Description of Information Sensitivity______________________________________7
A6.3 Protection/Certification Requirements____________________________________________12
A7 RISK SUMMARY___________________________________________________________13
B1-B5 MANAGEMENT CONTROLS_________________________________________________14
B1 Risk Management___________________________________________________________15
B2 Review of Security Controls___________________________________________________16
B3 Life Cycle__________________________________________________________________17
B4 Authorize Processing (C&A)___________________________________________________19
B5 System Security Plan_________________________________Error! Bookmark not defined.
B6-B14 OPERATIONAL CONTROLS__________________________________________________20
B6 Personnel Security___________________________________________________________20
B7 Physical and Environmental Protection___________________________________________22
B8 Production, Input/Output Controls_______________________________________________25
B9 Contingency Planning________________________________________________________25
B10 Hardware and System Software Maintenance______________________________________30
B11 Data Integrity_______________________________________________________________32
B12 Documentation______________________________________________________________35
B13 Security Awareness, Training, and Education______________________________________36
B14 Incident Response Capability___________________________________________________36
B15-B17 TECHNICAL CONTROLS____________________________________________________38
B15 Identification and Authentication________________________________________________38
B16 Logical Access Controls______________________________________________________39
B17 Audit Trails________________________________________________________________43
Appendix A – [SYSTEM NAME] Rules of Behavior______________________________________A-1
INDEX __________________________________________________________________________B-1
[Date Prepared] Page ii

[SYSTEM NAME]
SYSTEM SECURITY PLAN REVIEW/APPROVAL SHEET
System Owner:
Name: Signature Date
Security Officer:
Security Reviewer:
[Date Prepared] Page iii

[SYSTEM NAME] SECURITY PLAN REVIEW SHEET
This Security Plan has been updated and approved on the following dates to account for the latest
changes. This task will be completed at least annually.
Approval Date Name of Security Officer Signature of Security Officer
[Date Prepared] Page iv

[SYSTEM NAME] SECURITY PLAN CHANGE INFORMATION PAGE
Issue Date Pages Affected Description
Original MM/DD/YYYY All Initial Draft Version
[Date Prepared] Page v

INTRODUCTION
The completion of System Security Plans (SSPs) is required to identify each computer system that
contains sensitive information, and to prepare and implement a plan for the security and privacy of these
systems. The objective of system security planning is to improve protection of information technology
(IT) resources. All information systems have some level of sensitivity, and require protection as part of
best management practices. The protection of a system must be documented in a system security plan.
The security plan is viewed as documentation of the structured process of planning adequate, cost-
effective security protection for a system. It reflects input from management responsible for the system,
including information owners, the system operator, the system security manager, and system
administrators. The system security plan delineates responsibilities and expected behavior of all
individuals who access the system.
The purpose of this security plan is to provide an overview of the security of the System Name and
describe the controls and critical elements in place or planned for, based on NIST Special Publication
(SP) 800-53, Recommended Security Controls for Federal Information Systems. Each applicable
security control has been identified as either in place or planned. This SSP follows guidance contained
in NIST Special Publication (SP) 800-18, Guide for Developing Security Plans for Information
Technology Systems.
This plan was developed by [identify team or individual who developed the plan] under the direction of
the [specify Entity Name manager for whom the work was performed]. This plan is based upon a review
of the environment, documentation, Federal, State, and Entity Name regulations/ guidance, and
interviews with the information system personnel conducted between dates. In addition to this System
Security Plan (SSP), [specify other security documentation developed as part of the same task; e.g., “a
Risk Assessment (RA), Security Test and Evaluation (ST&E), and Plan of Action and Milestones
(POA&M) have been developed under this task”].
Documented in this plan are findings that indicate that there are weaknesses in System Name security
controls that need to be corrected. These findings are summarized as follows:
 Identify here each significant risk finding.
To permit the system to operate on the basis of minimum Entity Name security requirements being met,
the system owner should take action to implement planned corrective actions specified in this security
plan as rapidly as resources permit.
[Date Prepared] Page vi

SECTION A1 SYSTEM IDENTIFICATION
A1.1 System Name/Title
Discussion: Enter the system name and acronym given to the general support system or application.
A1.2 Responsible Organization

Discussion: In this section, list the organization that owns and is responsible for the data in the
application. The responsible organization owns the system, the data it contains, and controls the use of
the data. List the federal organizational sub-component responsible for the system. If a state or local
government or contractor performs the function, identify both the federal and other organization and
describe the relationship. Be specific about the organization and do not abbreviate. Include physical
locations and addresses.
The responsible organization owns the system, the data it contains, and controls the use of the data.
Example: Office of Financial Management

Office of the Secretary
Corporation Name
451 7th Street S.W.,
Washington, DC 20410
The System is maintained by:

Appropriate Contractor Firm
1234 Main St
Anywhere, USA, 12345
A1.3 Information Contact(s)

Discussion: Specify the program owner, program manager and the system manager to contact for
further information regarding the security plan and the system. Include their address, telephone
numbers, and e-mail. List the name, title, organization, and telephone number of one or more persons
designated to be the point(s) of contact for this system. The contacts given should be identified as the
system owner, program manager, and system manager. The designated persons should have sufficient
knowledge of the system to be able to provide additional information or points of contact, as needed.
The designated person(s) have sufficient knowledge of the system to be able to provide additional
information or points of contact regarding the security plan and the system, as needed.
Example:
System Owner
Jane Roe
Director, Information Resource Management Office
Corporation Name
202-708-1234
ima.pony@abc.Entity.gov
[Date Prepared] Page 1

Designated Representative
John Doe
Corporation Name
Office of ABC
202-708-1234
john.doe@abc.Entity.gov
A1.4 Assignment of Security Responsibility

Discussion: List the Information System Security Officer (ISSO), or other person(s) responsible for the
security of the system, including their address and phone number. An individual must be assigned
responsibility in writing to ensure “System Name” adequate security. To be effective, this individual
must be knowledgeable of the management, operational, and technical controls used to protect the
system. Include the name, title, and telephone number of the individual who has been assigned
responsibility for the security of the system.
You may also want to consider sending a memorandum from the organizational manager (or equivalent)
to the person (or persons) identified in the SSP as responsible for security to officially confirm their
appointment. If a memorandum is done, be sure to include a signed copy with the SSP.
The designated person(s) responsible for the security of the system has been assigned responsibility in
writing to ensure that the “System Name” has adequate security and is knowledgeable of the
management, operational, and technical controls used to protect the system.
Example:
Information System Security Officer
Albert Einstein
Corporation Name
Office of ABC
202-708-1234
albert.einstein@abc.Entity.gov
A2 OPERATIONAL STATUS
Discussion: Indicate whether the system is operational, under development (or acquisition), or
undergoing a major modification. Include date of operation, expected implementation, or completion
of modification. In this section discuss: the history of the system; the date the system became or will
become operational; if the system is undergoing modification; and all other pertinent information. All
milestones until operational status should be stated. If the system is about to go through a major
revision, all milestones along the way should be listed as well.
Example: The ABC LAN is currently in the operational and maintenance phase. Updates and changes
to the ABC LAN are expected throughout the fiscal year. There are currently no envisioned alterations
to the ABC LAN that would severely affect its operational status during updates and changes to the

system environment. The ABC system is currently in the operational and maintenance phase of the
system life cycle. The system will be undergoing major modification during the course of FY 2006,
including network engineering, security engineering, and systems engineering.
A3 GENERAL DESCRIPTION/PURPOSE
Discussion: Present a brief description (one to three paragraphs) of the function and purpose of the
system (e.g., economic indicator, network support for an organization, business census data analysis, and
crop reporting support). Be sure to include the type(s) of information that the “System Name” processes.
If the system is a general support system, list all applications supported by the general support system.
Specify if the application is or is not a major application and include unique name/identifiers, where
applicable. Describe each application's function and the information processed. Include a list of user
organizations, whether they are internal or external to the system owner’s organization, and a general
description of the type of information and processing provided. Request information from the
application owners (and a copy of the security plans for major applications) to ensure their requirements
are met.
Example: The ABC LAN is the communication system, which is designed to facilitate the services and
resources needed to support the operations of ABC’s users. The ABC LAN supports the following
applications:
StarrFW, Application5 & Application3.
A4 SYSTEM ENVIRONMENT
Discussion: Provide a brief (one-three paragraphs) general description of the technical system. Include
any environmental or technical factors that raise special security concerns, such as:
 The system is connected to the Internet;
 It is located in a harsh or overseas environment;
 Software is rapidly implemented; The software resides on an open network used by the general
public or with overseas access;
 The application is processed at a facility outside of the organization's control; or
 The general support mainframe has dial-up lines.
Describe the primary computing platform(s) used (e.g., mainframe, desktop, Local Area Network (LAN)
or Wide Area Network (WAN)). Include a general description of the principal system components,
including hardware, software, and communications resources. Provide server names and IP addresses.
Discuss the type of communications included (e.g., dedicated circuits, dial circuits, public data/voice
networks, Internet). Describe controls used to protect communication lines in the appropriate sections of
the security plan.
Include any security software protecting the system and information. Describe in general terms the type
of security protection provided (e.g., access control to the computing platform and stored files at the
operating system level or access to data records within an application). Include only controls that have

been implemented or are planned, rather than listing the controls that are available in the software.
Controls that are available, but not implemented, provide no protection.
Specify any system components that are essential to its operation, but that are not included within the
scope of the plan, and the reason that this is so (i.e., covered under another plan, etc.).
Lastly, insert the system architecture diagram in this section after the text description.
Example: The ABC system is housed in a government owned building in Washington, DC. The entire
building is occupied by the Corporation Nameand contractor personnel and is not open to the general
public. The ABC LAN operates Microsoft NT, version 4.0, and workstations run Windows 95. The
security software protecting all system resources is the built in security of Microsoft Windows NT. The
ABC LAN supports all office automation applications for ABC. The ABC LAN has dial up lines from
each subordinate site. Users are required to be authenticated with user ID and password before access is
granted to the network. Additionally, a personal firewall and up-to-date antivirus software is installed on
each user’s machine prior to the laptop being issued for travel.
[Insert System Diagram Here]
A5 SYSTEM INTERCONNECTION/INFORMATION SHARING

Discussion: System interconnection is the direct connection of systems for the purpose of sharing
information resources. System interconnection, if not appropriately protected, may result in a
compromise of all connected systems and the data they store, process, or transmit. It is important that
system operators, information owners, and management obtain as much information as possible about
the vulnerabilities associated with system interconnection and information sharing and the increased
controls required to mitigate those vulnerabilities. The security plan for the systems often serves as a
mechanism to affect this security information exchange and allows management to make informed
decisions regarding risk reduction and acceptance.
A written management authorization (often in the form of a Memorandum of Understanding or

Agreement,) is required to be obtained prior to connecting with other systems and/or sharing sensitive
data/information. The written authorization shall detail the rules of behavior and controls that must be
maintained by the interconnecting systems. A description of the rules for interconnecting systems and
for protecting shared data must be included with this security plan.
In this section, provide the following information concerning the authorization for the connection to
other systems or the sharing of information:
List of interconnected systems (including Internet);

 Unique system identifiers, if appropriate;
 Name of system(s);
 Organization owning the other system(s);
 Type of interconnection (TCP/IP, Dial, SNA, etc.);
 Short discussion of major concerns or considerations in determining interconnection (do not repeat
the system rules included in Section 4.3);
 Name and title of authorizing management official(s);
 Date of authorization;

 System of Record, if applicable (Privacy Act data);
 Sensitivity level of each system;
 Interaction among systems; and
 Security concerns and Rules of Behavior of the other systems that need to be considered in the
protection of this system.
Example: The ABC LAN is interconnected with the ENTITY XYZ backbone for Internet and Intranet
access. The ABC LAN is a level II system and the information within the ABC LAN is currently shared
with other ENTITY activities, and other Federal agencies. MOUs dated 12 Oct 02, exist that have been
approved by legal and are on file with the ISSO. The Rules of Behavior have to be read, understood, and
signed by each user.
A6 SENSITIVITY OF INFORMATION HANDLED

Discussion: This section provides a description of the types of information handled by the system and
an analysis of the sensitivity of the information. The sensitivity of the information stored within,
processed by, or transmitted by a system provides a basis for the value of the system and is one of the
major factors in risk management. The description will provide information to a variety of users,
including:
Analysts/programmers who will use it to help design appropriate security controls; Internal and external
auditors evaluating system security measures; and managers making decisions about the reasonableness
of security countermeasures. Sensitivity levels range from low to high based on the type(s) of
information processed. Exhibit 1 below summarizes the sensitivity levels, while Exhibit 2 provides
examples of the types of information that fall into each sensitivity category. Determine the sensitivity
level of the information based on the information in Exhibits 1 and 2. Indicate the overall system
sensitivity level by using the highest data sensitivity level from the table. These sensitivity levels also
apply to systems under development. Include a statement of the estimated risk and magnitude of harm
resulting from the loss, misuse, or unauthorized access to or modification of information in the system.
The description must contain information on applicable laws, regulations, and policies affecting the
system and a general description of sensitivity. The nature of the information sensitivity and criticality
must be described in this section.

Exhibit 1: Sensitivity Levels and Descriptions
Sensitivity
Description of Sensitivity Level
Level
Data stored, processed, or transported by computer or telecommunications resources, the inaccuracy,

alteration, disclosure, or unavailability of which:
 Would have an IRREPARABLE IMPACT on Major Application (MA) or General Support

High System (GSS), functions, image, or reputation, such that the catastrophic result would not be able
to be repaired or set right again, or
 Could result in LOSS OF MAJOR TANGIBLE ASSETS or resources, including posing a threat
to human life

Moderate  Would have an ADVERSE IMPACT on MA or GSS missions, functions, image, or reputation,
such that the impact would place the MA at a significant disadvantage, or
 Could result in LOSS OF SIGNIFICANT TANGIBLE ASSETS or resources

 Would have a MINIMAL IMPACT on MA or GSS missions, functions, image, or reputation,

Low such that the impact would result in the least possible significant unfavorable condition with a
negative outcome, or
 Could result in LOSS OF SOME TANGIBLE ASSETS or resources
Example: The ABC LAN is the primary communications network that supports ABC’s users in their
day-to-day operations. This network is continuously used during business and non-business hours. The
confidentiality, integrity and availability of the ABC LAN is critical, i.e., ensuring that data is only
received by the person that it is intended for, that data is not subject to unauthorized or accidental
alterations, and that the resources are available when needed.
A6.1 Applicable Laws or Regulations Affecting the System

Discussion: List any laws, regulations, or policies that establish specific requirements for
confidentiality, integrity, or availability of data/information in this specific application. The Computer
Security Act of 1987, OMB Circular A-130, and general agency security requirements need not be listed
since they mandate security for all systems. Each organization should decide on the level of laws,
regulations, and policies to include in the security plan. Examples might include the Privacy Act or a
specific statute or regulation concerning the information processed (e.g., tax or census information). If
the system processes records subject to the Privacy Act, include the number and title of the Privacy Act
system(s) of records and whether the system(s) are used for computer matching activities.
See the NIST Computer Security Division’s Computer Security Resource Clearinghouse (CSRC) Web
site for additional information (http://csrc.nist.gov). CSRC contains information on a wide variety of
computer security resources, including a list of applicable laws and regulations.

 Example: This section shows the Federal laws, regulatory guidance, and directives that drive
Department of Corporation Name’s IT security program.
 Federal Information Security Management Act (FISMA) of 2002
 Computer Fraud and Abuse Act of 1986, as amended.
 Computer Security Act of 1987
 Privacy Act of 1987
 OMB Circular No. A-130, Appendix III
 Federal Information Processing Standard 199 -
 NIST SP 800-18 - Guide for Developing Security Plans for Information Technology Systems,
December 1998
 NIST SP 800-30 - Risk Management Guide for Information Technology Systems,
July 2002
 NIST SP 800-30 - Risk Management Guide for Information Technology Systems, January 2002
 NIST SP 800-34 - Contingency Planning Guide for Information Technology Systems, June 2002
 NIST SP 800-37 – Guide for the Security Certification and Accreditation of Federal
Information Systems, May 2004
 NIST SP 800-53 – Recommended Security Controls for Federal Information Systems, February
2005
 NIST SP 800-60 - Guide for Mapping Types of Information and Information Systems to
Security Categories, June 2004
A6.2 General Description of Information Sensitivity

The following table provides a general description of the information handled by the system and the
need for protective measures.
Exhibit 2: Information Categories

Discussion: This table should be copied from the Risk Assessment Report in its entirety. Ensure that
only those information categories applicable to the system/application are included deleting the
rows that do not apply. For each category of information describe protection requirements on the basis
of its need for confidentiality, integrity, and availability. Do not rank protection requirements (i.e.,
“Low,” “Moderate,” “High” in this table; that is performed in Exhibit 3.

Information
Explanation and Examples Protection Requirements
Category
Information related to personnel, medical,

and similar data. Includes all information  Confidentiality – [describe why the
covered by the Privacy Act of 1974 (e.g., confidentiality of system data needs
salary data, social security information, protection]
passwords, user identifiers (IDs), EEO,
personnel profile (including home address
and phone number), medical history,
 Integrity – [describe why the
Information
about persons employment history (general and security integrity of system data needs
clearance information), and arrest/criminal protection]
investigation history).
 Availability – [describe why the
availability of the system must be
safeguarded]
Information related to financial information  Confidentiality – [describe why the

and applications, commercial information confidentiality of system data needs
received in confidence, or trade secrets (i.e., protection]
Financial,
proprietary, contract bidding information,
budgetary,
sensitive information about patents, and  Integrity – [describe why the
commercial,
proprietary and
information protected by the Cooperative integrity of system data needs
Research and Development Agreement). protection]
trade secret
Also included is information about payroll,
information
automated decision making, procurement,  Availability – [describe why the
inventory, other financially-related systems,
and site operating and security expenditures.
safeguarded]
 Confidentiality – [describe why the

confidentiality of system data needs
protection]
Information related to the internal
administration of “System Name”.  Integrity – [describe why the
Internal
administration
Includes personnel rules, bargaining integrity of system data needs
positions, and advance information protection]
concerning procurement actions.
safeguarded]

Information
Category
Information related to investigations for law  Confidentiality – [describe why the

enforcement purposes; intelligence Critical confidentiality of system data needs
Element related information that cannot be protection]
Investigation,
classified but is subject to confidentiality and
intelligence,
extra security controls. Includes security  Integrity – [describe why the
Critical Element
related, and
plans, contingency plans, emergency integrity of system data needs
operations plans, incident reports, reports of protection]
security
investigations, risk or vulnerability
information
assessments certification reports; does not  Availability – [describe why the
include general plans, policies, or
requirements.
safeguarded]

protection]
Information that is required by statute to be
Other Federal,  Integrity – [describe why the
protected, or which has come from another
State or agency
Federal, state or agency and requires release integrity of system data needs
information protection]
approval by the originating agency.

safeguarded]

protection]
Information related to new technology,
New technology scientific information that is prohibited from
or controlled disclosure to certain foreign governments, or
scientific that may require an export license from the integrity of system data needs
information Department of State and/or the Department protection]
of Commerce.
safeguarded]

protection]
Information designated as critical to a
Mission-critical “System Name” mission; includes vital
information integrity of system data needs
statistics information for emergency
operations. protection]

safeguarded]

Information
Category

protection]

Operational Information that requires protection during
information operations; usually time-critical information. integrity of system data needs
protection]

safeguarded]

protection]
Information critical to life-support systems  Integrity – [describe why the

Life-critical
information
(i.e., information where inaccuracy, loss, or integrity of system data needs
alteration could result in loss of life). protection]

safeguarded]

protection]
Any information for which there is a
management concern about its adequate  Integrity – [describe why the
Other sensitive
information
protection, but which does not logically fall integrity of system data needs
into any of the above categories. Use of this protection]
category should be rare.
safeguarded]

Any information pertaining to the internal confidentiality of system data needs
operations of a network or computer system, protection]
including, but not limited to, network and
System device addresses, system and protocol
configuration  Integrity – [describe why the
addressing schemes implemented at “Entity
integrity of system data needs
Management
Name”, network management information
protocols, community strings, network protection]
information
information packets, etc., device and system
passwords, and device and system  Availability – [describe why the
configuration information. availability of the system must be
safeguarded]

Information
Category

Any information that is declared for public protection]
consumption by official “Entity Name”
authorities. This includes information  Integrity – [describe why the
Public contained in press releases approved by
information integrity of system data needs
Public Affairs or other official ENTITY
source. It also includes Information placed protection]
on public access world-wide-web (WWW)
servers.  Availability – [describe why the
safeguarded]
Example:
Information
Category
 Confidentiality – The system contains
personal information relating to payroll
processing for approximately 175
Information related to personnel, medical, personnel.
and similar data. Includes all information  Integrity – The accuracy of employee
covered by the Privacy Act of 1974 (e.g., payroll transactions is based upon the
salary data, social security information, integrity of personal data used by the
Information passwords, user identifiers (IDs), EEO, system.
about persons personnel profile (including home address  Availability – Non-availability of the
and phone number), medical history, system would result in a noticeable
employment history (general and security impact on “Entity Name” missions,
clearance information), and arrest/criminal functions, image, or reputation.
investigation history). However, the impact is diminished since
operations can be resumed by manual
means in degraded form for an extended
period.

A6.3 Protection/Certification Requirements
The following table documents general protection and certification requirements for the system.
The purpose of this table is to establish the protection requirements for the system, and to document the
level of effort that will be required to certify the system. Rank as High, Moderate, or Low, and justify
the ranking for each of the three primary security concerns. Then rank the system’s exposure to external
threats, and for systems with High confidentiality concerns, rank the exposure to internal threats. Use
FIPS 199 & NIST Special Pub 800-37 to complete this table.
Exhibit 3: Protection/Certification Requirements
Concern Ranking Justification

(Low-Mod-High)
Sensitivity
Confidentiality
Integrity
Availability
Delete the two that do not apply
Low = Low intensity, checklist-based, independent security
review
 Interview of personnel
 Review of system-related security policies, procedures,
documents
 Observation of system operations and security controls
Moderate = Moderate intensity, demonstration-based,
independent assessment
Select either  Functional testing
Low, Moderate,  Regression analysis and regression testing
or High  Penetration testing (optional)
Certification Level of according to  Demonstrations to verify security control correctness and
Effort highest effectiveness
sensitivity  Low Certification Level verification techniques (if
ranking from appropriate)
above High = High intensity, exercised-based, independent
assessment
 System design analysis
 Functional testing with coverage analysis
 Regression analysis and regression testing
 Penetration testing (Red Team optional)
 Demonstrations and exercises to verify security control
correctness and effectiveness
 Low and Moderate Certification Level verification
techniques (if appropriate)
EXAMPLE

(Low-Mod-High)
Sensitivity
(From Table 3.1, NIST SP 800-37)
Confidentiality Low The consequences of unauthorized disclosure or compromise

(Low-Mod-High)
of data or information in the system are generally acceptable.
The loss of confidentiality could be expected to affect ENTITY
level interests and have some negative impact on mission
accomplishment.
The consequences of corruption or unauthorized modification
of data or information in the system are only marginally
Integrity Moderate acceptable. Loss of integrity could be expected to adversely
affect “Entity Name” level interests, and degrade mission
accomplishment.
The consequences of loss or disruption of access to system
resources or to data or information in the system are generally
Availability Low acceptable. The loss of availability could be expected to affect
“Entity Name” level interests and have some negative impact
on mission accomplishment.
Moderate intensity, demonstration-based, independent
assessment
 Functional testing
Certification Level of  Regression analysis and regression testing
Moderate  Penetration testing (optional)
Effort
 Demonstrations to verify security control correctness and
effectiveness
 Low Certification Level verification techniques (if
appropriate)
A7 RISK SUMMARY
The results of the System Name Risk Assessment indicated that the risks to system resources in the areas
of Management, Operational, and Technical controls are as follows:
Summarize risk assessment findings below

 Management Controls: The most significant management control related risks include
[summarize weaknesses in management controls here, e.g., “weaknesses in the approval of
security plan and risk assessment documentation; lack of rules of behavior; and, the lack of a
formal authorization to operate.”]
 Operational Controls: Significant operational control risks include [summarize weaknesses in

operational controls here, e.g., “the lack of media controls; background screening controls; lack
of documented instructions for requesting, establishing, issuing and closing user accounts; lack
of periodic validation of user accounts; and, lack of restrictions on software/hardware
maintenance personnel.”]
 Technical Controls: The most significant technical control risks include [summarize
weaknesses in technical controls here, e.g., “the failure to implement a log-on banner; failure to
detect unauthorized access attempts through editing; and the lack of periodic vulnerability
scanning.”]
Risks in areas such as natural, environmental, human intentional and human unintentional threats were
assessed. The assessment found that identified risks could be fully mitigated through the implementation
of security controls specified in Table 5-1 of the System Name Risk Assessment.

Figure 5.1
Figure 5.1 above summarizes risks identified in the [System Name] Risk Assessment. Number
vulnerabilities found in System Name controls are ranked as low, medium and/or high risk. Therefore,
System Name is categorized as having a low, medium or high level of risk.
SECTION B CONTROLS IDENTIFICATION

This section documents management, operational and technical controls requirements for the system and
their status as being either in place or planned in accordance with NIST SP 800-18.
For SCL-1 (Low Impact) systems the Controls Identification section will consist of the following
Controls Status Summary Table and a completed Minimum Security Baseline Assessment.
Exhibit 4: Controls Status Summary Table (SCL-1 Systems Only)

Control Category In Place Planned
Risk Assessment
Planning
Systems and Services Acquisition
Certification, Accreditation, and Security Assessments
Personnel Security
Physical and Environmental Protection
Contingency Planning
Configuration Management
Maintenance
System and Information Integrity
Media Protection

Incident Response
Awareness and Training
Identification and Authentication
Access Controls
Audit and Accountability
System and Communications Protection
For SCL-1 systems the completed Minimum Security Baseline Assessment here and disregard (delete)
Sections B1-B17 below.
B1-B4 MANAGEMENT CONTROLS

This section describes management controls applicable to the [System Name].
B1 Risk Assessment (RA)

The status of risk assessment controls for the [System Name] is as indicated in the following table:
[Use the Not Applicable column to identify the controls applicable to the system. A=all
systems; MH=Moderate and High systems; H=high systems only. Mark those that are not
applicable as “NA”; do not delete them.]
Description of Control
Applicable
Planned
In Place
Control
Not
Number [Document how the control has been specifically implemented for the
system; describe actions that are planned to complete implementation]
RA-1 Risk Assessment Policy and Procedures: The

organization develops, disseminates, and periodically
reviews/updates: (i) a formal, documented risk assessment
policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among
organizational entities, and compliance; and (ii) formal,
documented procedures to facilitate the implementation of
the risk assessment policy and associated risk assessment
controls.
RA-2 Security Categorization: The organization categorizes the

information system and the information processed, stored,
or transmitted by the system in accordance with applicable
laws, Executive Orders, directives, policies, regulations,
standards, and guidance and documents the results
(including supporting rationale) in the system security plan.
Designated senior-level officials within the organization
review and approve the security categorizations.
RA-3 Risk Assessment: The organization conducts

assessments of the risk and magnitude of harm that could

Applicable
Planned
In Place
Control
Not
result from the unauthorized access, use, disclosure,

disruption, modification, or destruction of information and
information systems that support the operations and assets
of the agency (including information and information
systems managed/operated by external parties)..
RA-4 Risk Assessment Update: The organization updates the

risk assessment [Assignment: organization-defined
frequency] or whenever there are significant changes to the
information system, the facilities where the system resides,
or other conditions that may impact the security or
accreditation status of the system.
RA-5 Vulnerability Scanning: The organization scans for

vulnerabilities in the information system [Assignment:
organization-defined frequency] or when significant new
vulnerabilities potentially affecting the system are identified
and reported.
RA-5 (1) Vulnerability Scanning: The organization employs

vulnerability scanning tools that include the capability to
readily update the list of information system vulnerabilities
scanned.
RA-5 (2) Vulnerability Scanning: The organization updates the list

of information system vulnerabilities scanned [Assignment:
organization-defined frequency] or when significant new
vulnerabilities are identified and reported.
RA-5 (3) Vulnerability Scanning: The organization employs

vulnerability scanning procedures that can demonstrate the
breadth and depth of scan coverage, including vulnerabilities
checked and information system components scanned.
B2 Planning (PL)
The status of security planning controls for the [System Name] is as indicated in the following table:
Applicable
Planned
In Place
Control
Not
PL-1 Security Planning Policy and Procedures: The

Applicable
Planned
In Place
Control
Not

reviews/updates: (i) a formal, documented, security
planning policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination
among organizational entities, and compliance; and (ii)
formal, documented procedures to facilitate the
implementation of the security planning policy and
associated security planning controls.
PL-2 System Security Plan: The organization develops and

implements a security plan for the information system that
provides an overview of the security requirements for the
system and a description of the security controls in place
or planned for meeting those requirements. Designated
officials within the organization review and approve the
plan.
PL-3 System Security Plan Update: The organization reviews

the security plan for the information system [Assignment:
organization-defined frequency, at least annually] and
revises the plan to address system/organizational changes
or problems identified during plan implementation or
security control assessments.
PL-4 Rules of Behavior: The organization establishes and

makes readily available to all information system users, a
set of rules that describes their responsibilities and
expected behavior with regard to information and
information system usage. The organization receives
signed acknowledgment from users indicating that they
have read, understand, and agree to abide by the rules of
behavior, before authorizing access to the information
system and its resident information.
PL-5 Privacy Impact Assessment: The organization conducts

a privacy impact assessment on the information system in
accordance with OMB policy.
PL-6 Security Related Activity Planning: The organization

plans and coordinates security-related activities affecting
the information system before conducting such activities in
order to reduce the impact on organizational operations
(i.e., mission, functions, image, and reputation),
organizational assets, and individuals.

B3 System and Services Acquisition (SA)
The status of system and services acquisition controls for the [System Name] is as indicated in the
following table:
Applicable
Planned
In Place
Control
Not
SYSTEM AND SERVICES ACQUISITION POLICY AND

PROCEDURES: The organization develops,
disseminates, and periodically reviews/updates: (i) a
formal, documented, system and services acquisition
policy that includes information security considerations and
SA-1 that addresses purpose, scope, roles, responsibilities,
the system and services acquisition policy and associated
system and services acquisition controls.
Allocation of Resources: The organization determines,

documents, and allocates as part of its capital planning
SA-2
and investment control process, the resources required to
adequately protect the information system.
Life Cycle Support: The organization manages the

information system using a system development life cycle
SA-3
methodology that includes information security
considerations.
Acquisitions: The organization includes security

requirements and/or security specifications, either
explicitly or by reference, in information system acquisition
SA-4
contracts based on an assessment of risk and in
accordance with applicable laws, Executive Orders,
directives, policies, regulations, and standards.
Acquisitions: The organization requires in solicitation

documents that appropriate documentation be provided
SA-4 (1) describing the functional properties of the security controls
employed within the information system with sufficient detail
to permit analysis and testing of the controls.
SA-4 (2) Acquisitions: The organization requires in solicitation

documents that appropriate documentation be provided
describing the design and implementation details of the
security controls employed within the information system

Applicable
Planned
In Place
Control
Not
with sufficient detail to permit analysis and testing of the

controls (including functional interfaces among control
components)..
Information System Documentation: The organization

obtains, protects as required, and makes available to
SA-5
authorized personnel, adequate documentation for the
information system.

includes, in addition to administrator and user guides,
documentation, if available from the vendor/manufacturer,
SA-5 (1)
describing the functional properties of the security controls
employed within the information system with sufficient detail
to permit analysis and testing of the controls.

includes, in addition to administrator and user guides,
documentation, if available from the vendor/manufacturer,
describing the design and implementation details of the
SA-5 (2)
security controls employed within the information system
with sufficient detail to permit analysis and testing of the
controls (including functional interfaces among control
components).
Software Usage Restrictions: The organization

SA-6
complies with software usage restrictions.
User Installed Software: The organization enforces

SA-7 explicit rules governing the installation of software by
users.
Security Engineering Principles: The organization

SA-8 designs and implements the information system using
security engineering principles.
External Information System Services: The

organization: (i) requires that providers of external
information system services employ adequate security
SA-9 controls in accordance with applicable laws, Executive
Orders, directives, policies, regulations, standards,
guidance, and established service-level agreements; and
(ii) monitors security control compliance.
SA-10 Developer Configuration Management: The

organization requires that information system developers

Applicable
Planned
In Place
Control
Not
create and implement a configuration management plan

that controls changes to the system during development,
tracks security flaws, requires authorization of changes,
and provides documentation of the plan and its
implementation.
Developer Security Testing: The organization requires

that information system developers create a security test
SA-11
and evaluation plan, implement the plan, and document
the results.
B4 Certification, Accreditation, and Security Assessments

(CA)
The status of certification, accreditation, and security assessment controls for the [System Name] is as
indicated in the following table:
Applicable
Planned
In Place
Control
Not
Certification, Accreditation, and Security Assessment

Policies and Procedures: The organization develops,
disseminates, and periodically reviews/updates: (i) formal,
documented, security assessment and certification and
accreditation policies that address purpose, scope, roles,
CA-1 responsibilities, management commitment, coordination
implementation of the security assessment and certification
and accreditation policies and associated assessment,
certification, and accreditation controls.
Security Assessments: The organization conducts an

assessment of the security controls in the information
system [Assignment: organization-defined frequency, at
CA-2 least annually] to determine the extent to which the
controls are implemented correctly, operating as intended,
and producing the desired outcome with respect to
meeting the security requirements for the system.

Applicable
Planned
In Place
Control
Not
Information System Connections: The organization

authorizes all connections from the information system to
other information systems outside of the accreditation
CA-3
boundary through the use of system connection
agreements and monitors/controls the system connections
on an ongoing basis.
Security Certification: The organization conducts an

assessment of the security controls in the information
system to determine the extent to which the controls are
CA-4
implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the
security requirements for the system.
Security Certification: The organization employs an

independent certification agent or certification team to
CA-4 (1)
conduct an assessment of the security controls in the
information system.
Plan of Action and Milestones: The organization

develops and updates [Assignment: organization-defined
frequency], a plan of action and milestones for the
information system that documents the organization’s
CA-5
planned, implemented, and evaluated remedial actions to
correct deficiencies noted during the assessment of the
security controls and to reduce or eliminate known
vulnerabilities in the system.
Security Accreditation: The organization authorizes (i.e.,

accredits) the information system for processing before
operations and updates the authorization [Assignment:
CA-6 organization-defined frequency, at least every three years]
or when there is a significant change to the system. A
senior organizational official signs and approves the
security accreditation.
Continuous Monitoring: The organization monitors

CA-7 the security controls in the information system on an
ongoing basis.
Continuous Monitoring: The organization employs an

independent certification agent or certification team to
CA-7 (1) monitor the security controls in the information system on
an ongoing basis.

B5-B13 OPERATIONAL CONTROLS
This section describes the level of implementation of operational controls for the [System Name].
B5 Personnel Security (PS)

The status of personnel security controls for the [System Name] is as indicated in the following table:
systems; MH=Moderate and High systems; H=high systems only; RB=risk based. Mark those
that are not applicable as “NA”; do not delete them.]
Applicable
Planned
In Place
Control
Not
PS-1 Personnel Security Policy and Procedures: The

reviews/updates: (i) a formal, documented, personnel
security policy that addresses purpose, scope, roles,
implementation of the personnel security policy and
associated personnel security controls.
PS-2 Position Categorization: The organization assigns a risk

designation to all positions and establishes screening
criteria for individuals filling those positions. The
organization reviews and revises position risk designations
[Assignment: organization-defined frequency].
PS-3 Personnel Screening: The organization screens

individuals requiring access to organizational information
and information systems before authorizing access.
PS-4 Personnel Termination: The organization, upon

termination of individual employment, terminates information
system access, conducts exit interviews, retrieves all
organizational information system-related property, and
provides appropriate personnel with access to official
records created by the terminated employee that are stored
on organizational information systems.
PS-5 Personnel Transfer: The organization reviews information

systems/facilities access authorizations when personnel are
reassigned or transferred to other positions within the
organization and initiates appropriate actions.
PS-6 Access Agreements: The organization completes

appropriate signed access agreements for individuals
requiring access to organizational information and

Applicable
Planned
In Place
Control
Not
information systems before authorizing access and

reviews/updates the agreements [Assignment: organization-
defined frequency].
PS-7 Third-Party Personnel Security: The organization

establishes personnel security requirements including
security roles and responsibilities for third-party providers
and monitors provider compliance.
PS-8 Personnel Sanctions: The organization employs a formal

sanctions process for personnel failing to comply with
established information security policies and procedures
B6 Physical and Environmental Protection (PE)

The status of physical and environmental protection controls for the [System Name] is as indicated in the
following table:
Applicable
Planned
Control In Place
Not
PE-1 Physical and Environmental Protection Policy and

Procedures: The organization develops, disseminates, and
periodically reviews/updates: (i) a formal, documented, physical
and environmental protection policy that addresses purpose,
scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(ii) formal, documented procedures to facilitate the
implementation of the physical and environmental protection
policy and associated physical and environmental protection
controls.
PE-2 Physical Access Authorizations: The organization develops

and keeps current a list of personnel with authorized access to
the facility where the information system resides (except for
those areas within the facility officially designated as publicly
accessible) and issues appropriate authorization credentials.
Designated officials within the organization review and approve

Applicable
Planned
In Place
Control
Not
the access list and authorization credentials [Assignment:

organization-defined frequency, at least annually].
PE-3 Physical Access Control: The organization controls all

physical access points (including designated entry/exit points) to
the facility where the information system resides (except for
those areas within the facility officially designated as publicly
accessible) and verifies individual access authorizations before
granting access to the facility. The organization controls access
to areas officially designated as publicly accessible, as
appropriate, in accordance with the organization’s assessment
of risk.
PE-3 (1) Physical Access Control: The organization controls physical

access to the information system independent of the physical
access controls for the facility.
PE-4 Access Control for Transmission Medium: The organization

controls physical access to information system distribution and
transmission lines within organizational facilities.
PE-5 Access Control for Display Medium: The organization

controls physical access to information system devices that
display information to prevent unauthorized individuals from
observing the display output.
PE-6 Monitoring Physical Access: The organization monitors

physical access to the information system to detect and
respond to physical security incidents.
PE-6 (1) Monitoring Physical Access: The organization monitors real-

time physical intrusion alarms and surveillance equipment.
PE-6 (2) Monitoring Physical Access: The organization employs

automated mechanisms to recognize potential intrusions and
initiate appropriate response action.
PE-7 Visitor Control: The organization controls physical access to

the information system by authenticating visitors before
authorizing access to the facility where the information system
resides other than areas designated as publicly accessible.
PE-7 (1) Visitor Control: The organization escorts visitors and monitors
visitor activity, when required.

Applicable
Planned
In Place
Control
Not
PE-8 Access Records: The organization maintains visitor access

records to the facility where the information system resides
(except for those areas within the facility officially designated as
publicly accessible) that includes: (i) name and organization of
the person visiting; (ii) signature of the visitor; (iii) form of
identification; (iv) date of access; (v) time of entry and departure;
(vi) purpose of visit; and (vii) name and organization of person
visited. Designated officials within the organization review the
visitor access records [Assignment: organization-defined
frequency].
PE-8 (1) Access Records: The organization employs automated

mechanisms to facilitate the maintenance and review of access
records.
PE-8 (2) Access Records: The organization maintains a record of all

physical access, both visitor and authorized individuals.
PE-9 Power Equipment and Power Cabling: The organization

protects power equipment and power cabling for the information
system from damage and destruction.
PE-9 (1) Power Equipment and Power Cabling: The organization

employs redundant and parallel power cabling path.
PE-10 Emergency Shutoff: The organization provides, for

specific locations within a facility containing concentrations
of information system resources, the capability of shutting
off power to any information system component that may
be malfunctioning or threatened without endangering
personnel by requiring them to approach the equipment.
PE-10 Emergency Shutoff: The organization protects the

emergency power-off capability from accidental or
(1) unauthorized activation.
PE-11 Emergency Power: The organization provides a short-term

uninterruptible power supply to facilitate an orderly shutdown of
the information system in the event of a primary power source
loss.
PE-11 Emergency Power: The organization provides a long-term

(1) alternate power supply for the information system that is capable
of maintaining minimally required operational capability in the
event of an extended loss of the primary power source.

Applicable
Planned
In Place
Control
Not
PE-11 Emergency Power: The organization provides a long-term

(2) alternate power supply for the information system that is self-
contained and not reliant on external power generation.
PE-12 Emergency Lighting: The organization employs and maintains

automatic emergency lighting that activates in the event of a
power outage or disruption and that covers emergency exits
and evacuation routes.
PE-13 Fire Protection: The organization employs and maintains fire

suppression and detection devices/systems that can be
activated in the event of a fire.
PE-13 Fire Protection: The organization employs fire detection

(1) devices/systems that activate automatically and notify the
organization and emergency responders in the event of a fire.
PE-13 Fire Protection: The organization employs fire suppression

(2) devices/systems that provide automatic notification of any
activation to the organization and emergency responders.
PE-13 Fire Protection: The organization employs an automatic fire

(3) suppression capability in facilities that are not staffed on a
continuous basis.
PE-14 Temperature and Humidity Controls: The organization

regularly maintains, within acceptable levels, and monitors the
temperature and humidity within the facility where the
information system resides.
PE-15 Water Damage Protection: The organization protects the

information system from water damage resulting from broken
plumbing lines or other sources of water leakage by providing
master shutoff valves that are accessible, working properly, and
known to key personnel.
PE-15 Water Damage Protection: The organization employs

(1) mechanisms that, without the need for manual intervention,
protect the information system from water damage in the event of
a significant water leak.
PE-16 Delivery and Removal: The organization authorizes and

controls information system-related items entering and exiting
the facility and maintains appropriate records of those items.
PE-17 Alternate Work Site: The organization employs

appropriate management, operational, and technical
information system security controls at alternate work

Applicable
Planned
In Place
Control
Not
sites.
PE-18 Location of Information System Components: The

organization positions information system components within
the facility to minimize potential damage from physical and
environmental hazards and to minimize the opportunity for
unauthorized access.
PE-18 Location of Information System Components: The

(1) organization plans the location or site of the facility where the
information system resides with regard to physical and
environmental hazards and for existing facilities, considers the
physical and environmental hazards in its risk mitigation strategy.
PE-19 Information Leakage: The organization protects the

information system from information leakage due to
electromagnetic signals emanations.
B7 Contingency Planning (CP)

The status of contingency planning controls for the [System Name] is as indicated in the following table:
Not Applicable
Planned
In Place
Control
CP-1 Contingency Planning Policy and Procedures: The

reviews/updates: (i) a formal, documented, contingency
planning policy that addresses purpose, scope, roles,
implementation of the contingency planning policy and
associated contingency planning controls.
CP-2 Contingency Plan: The organization develops and

implements a contingency plan for the information system
addressing contingency roles, responsibilities, assigned

Not Applicable
Planned
In Place
Control
individuals with contact information, and activities associated

with restoring the system after a disruption or failure.
Designated officials within the organization review and
approve the contingency plan and distribute copies of the
plan to key contingency personnel.
CP-2 (1) Contingency Plan: The organization coordinates

contingency plan development with organizational elements
responsible for related plans.
CP-2 (2) Contingency Plan: The organization conducts capacity

planning so that necessary capacity for information
processing, telecommunications, and environmental support
exists during crisis situations.
CP-3 Contingency Training: The organization trains personnel

in their contingency roles and responsibilities with respect to
the information system and provides refresher training
[Assignment: organization- defined frequency, at least
annually].
CP-3 (1) Contingency Training: The organization incorporates

simulated events into contingency training to facilitate
effective response by personnel in crisis situations.
CP-3 (2) Contingency Training: The organization employs

automated mechanisms to provide a more thorough and
realistic training environment.
CP-4 Contingency Plan Testing and Exercises: The

organization: (i) tests and/or exercises the contingency plan
for the information system [Assignment: organization-
defined frequency, at least annually] using [Assignment:
organization-defined tests and/or exercises] to determine the
plan’s effectiveness and the organization’s readiness to
execute the plan; and (ii) reviews the contingency plan
test/exercise results and initiates corrective actions.
CP-4 (1) Contingency Plan Testing and Exercises: The

organization coordinates contingency plan testing and/or
exercises with organizational elements responsible for related
plans.

organization tests/exercises the contingency plan at the
alternate processing site to familiarize contingency personnel
with the facility and available resources and to evaluate the

Not Applicable
Planned
In Place
Control
site’s capabilities to support contingency operations.

organization employs automated mechanisms to more
thoroughly and effectively test/exercise the contingency plan
by providing more complete coverage of contingency issues,
selecting more realistic test/exercise scenarios and
environments, and more effectively stressing the information
system and supported missions.
CP-5 Contingency Plan Update: The organization reviews the

contingency plan for the information system [Assignment:
organization-defined frequency, at least annually] and
revises the plan to address system/organizational changes
or problems encountered during plan implementation,
execution, or testing.
CP-6 Alternate Storage Sites: The organization identifies an

alternate storage site and initiates necessary agreements to
permit the storage of information system backup
information.
CP-6 (1) Alternate Storage Sites: The organization identifies an

alternate storage site that is geographically separated from
the primary storage site so as not to be susceptible to the
same hazards.
CP-6 (2) Alternate Storage Sites: The organization configures the

alternate storage site to facilitate timely and effective
recovery operations.
CP-6 (3) Alternate Storage Sites: The organization identifies

potential accessibility problems to the alternate storage site in
the event of an area-wide disruption or disaster and outlines
explicit mitigation actions.
CP-7 Alternate Processing Sites: The organization identifies an

alternate processing site and initiates necessary agreements
to permit the resumption of information system operations
for critical mission/business functions within [Assignment:
organization-defined time period] when the primary
processing capabilities are unavailable.
CP-7 (1) Alternate Processing Sites: The organization identifies an

alternate processing site that is geographically separated

Not Applicable
Planned
In Place
Control
from the primary processing site so as not to be susceptible

to the same hazards.
CP-7 (2) Alternate Processing Sites: The organization identifies

potential accessibility problems to the alternate processing
site in the event of an area-wide disruption or disaster and
outlines explicit mitigation actions.
CP-7 (3) Alternate Processing Sites: The organization develops

alternate processing site agreements that contain priority-of-
service provisions in accordance with the organization’s
availability requirements.
CP-7 (4) Alternate Processing Sites: The organization fully

configures the alternate processing site so that it is ready to
be used as the operational site supporting a minimum
required operational capability.
CP-8 Telecommunications Services: The organization

identifies primary and alternate telecommunications services
to support the information system and initiates necessary
agreements to permit the resumption of system operations
for critical mission/business functions within [Assignment:
organization-defined time period] when the primary
telecommunications capabilities are unavailable.
CP-8 (1) Telecommunications Services: The organization

develops primary and alternate telecommunications service
agreements that contain priority-of-service provisions in
accordance with the organization’s availability requirements.
CP-8 (2) Telecommunications Services: The organization obtains

alternate telecommunications services that do not share a
single point of failure with primary telecommunications
services.
CP-8 (3) Telecommunications Services: The organization obtains

alternate telecommunications service providers that are
sufficiently separated from primary service providers so as
not to be susceptible to the same hazards.
CP-8 (4) Telecommunications Services: The organization requires

primary and alternate telecommunications service providers
to have adequate contingency plans.
CP-9 Information System Backup: The organization conducts

backups of user-level and system-level information

Not Applicable
Planned
In Place
Control
(including system state information) contained in the

information system [Assignment: organization-defined
frequency] and protects backup information at the storage
location.
CP-9 (1) Information System Backup: The organization tests

backup information [Assignment: organization-defined
frequency] to verify media reliability and information integrity.
CP-9 (2) Information System Backup: The organization selectively

uses backup information in the restoration of information
system functions as part of contingency plan testing.
CP-9 (3) Information System Backup: The organization stores

backup copies of the operating system and other critical
information system software in a separate facility or in a fire-
rated container that is not collocated with the operational
software.
CP-9 (4) Information System Backup: The organization protects

system backup information from unauthorized modification.
CP-10 Information System Recovery and Reconstitution:

The organization employs mechanisms with supporting
procedures to allow the information system to be
recovered and reconstituted to a known secure state after
a disruption or failure.
CP-10 (1) Information System Recovery and Reconstitution:

The organization includes a full recovery and reconstitution
of the information system as part of contingency plan
testing.
B8 Configuration Management (CM)

The status of configuration management controls for the [System Name] is as indicated in the following
table:

Applicable
Planned
In Place
Control
Not
CM-1 Configuration Management Policy and Procedures: The

reviews/updates: (i) a formal, documented, configuration
management policy that addresses purpose, scope, roles,
responsibilities, and compliance; and (ii) formal,
the configuration management policy and associated
configuration management controls.
CM-2 Baseline Configuration: The organization develops,

documents, and maintains a current baseline configuration
of the information system.
CM-2 (1) Baseline Configuration: The organization updates the

baseline configuration of the information system as an
integral part of information system component installations.
CM-2 (2) Baseline Configuration: The organization employs

automated mechanisms to maintain an up-to-date, complete,
accurate, and readily available baseline configuration of the
information system.
CM-3 Configuration Change Control: The organization

authorizes, documents, and controls changes to the
information system.
CM-3 (1) Configuration Change Control: The organization employs

automated mechanisms to: (i) document proposed changes
to the information system; (ii) notify appropriate approval
authorities; (iii) highlight approvals that have not been
received in a timely manner; (iv) inhibit change until
necessary approvals are received; and (v) document
completed changes to the information system.
CM-4 Monitoring Configuration Changes: The organization

monitors changes to the information system conducting
security impact analyses to determine the effects of the
changes.
CM-5 Access Restrictions for Change: The organization: (i)

approves individual access privileges and enforces physical
and logical access restrictions associated with changes to
the information system; and (ii) generates, retains, and
reviews records reflecting all such changes
CM-5 (1) Access Restrictions for Change: The organization

employs automated mechanisms to enforce access

Applicable
Planned
In Place
Control
Not
restrictions and support auditing of the enforcement actions.
CM-6 Configuration Settings: The organization: (i) establishes

mandatory configuration settings for information technology
products employed within the information system; (ii)
configures the security settings of information technology
products to the most restrictive mode consistent with
operational requirements; (iii) documents the configuration
settings; and (iv) enforces the configuration settings in all
components of the information system.
CM-6 (1) Configuration Settings: The organization employs

automated mechanisms to centrally manage, apply, and
verify configuration settings.
CM-7 Least Functionality: The organization configures the

information system to provide only essential capabilities and
specifically prohibits and/or restricts the use of the following
functions, ports, protocols, and/or services: [Assignment:
organization-defined list of prohibited and/or restricted
functions, ports, protocols, and/or services]..
CM-7 (1) Least Functionality: The organization reviews the

information system [Assignment: organization-defined
frequency], to identify and eliminate unnecessary functions,
ports, protocols, and/or services.
CM-8 Information System Component Inventory: The

organization develops, documents, and maintains a current
inventory of the components of the information system and
relevant ownership information
CM-8 (1) Information System Component Inventory: The

organization updates the inventory of information system
components as an integral part of component installations.
CM-8 (2) Information System Component Inventory: The

organization employs automated mechanisms to help
maintain an up-to-date, complete, accurate, and readily
available inventory of information system components.
B9 Maintenance (MA)
The status of maintenance controls for the [System Name] is as indicated in the following table:

Applicable
Planned
In Place
Control
Not
MA-1 System Maintenance Policy and Procedures: The

reviews/updates: (i) a formal, documented, information
system maintenance policy that addresses purpose, scope,
roles, responsibilities, management commitment,
coordination among organizational entities, and compliance;
and (ii) formal, documented procedures to facilitate the
implementation of the information system maintenance
policy and associated system maintenance controls.
MA-2 Periodic Maintenance: The organization schedules,

performs, documents, and reviews records of routine
preventative and regular maintenance (including repairs) on
the components of the information system in accordance
with manufacturer or vendor specifications and/or
organizational requirements.
MA-2 (1) Periodic Maintenance: The organization maintains

maintenance records for the information system that include:
(i) the date and time of maintenance; (ii) name of the
individual performing the maintenance; (iii) name of escort, if
necessary; (iv) a description of the maintenance performed;
and (v) a list of equipment removed or replaced (including
identification numbers, if applicable).
MA-2 (2) Periodic Maintenance: The organization employs

automated mechanisms to schedule and conduct
maintenance as required, and to create up-to date, accurate,
complete, and available records of all maintenance actions,
both needed and completed.
MA-3 Maintenance Tools: The organization approves, controls,

and monitors the use of information system maintenance
tools and maintains the tools on an ongoing basis.
MA-3 (1) Maintenance Tools: The organization inspects all

maintenance tools carried into a facility by maintenance
personnel for obvious improper modifications.
MA-3 (2) Maintenance Tools: The organization checks all media

containing diagnostic and test programs for malicious code
before the media are used in the information system.

Applicable
Planned
In Place
Control
Not
MA-3 (3) Maintenance Tools: The organization checks all

maintenance equipment with the capability of retaining
information so that no organizational information is written on
the equipment or the equipment is appropriately sanitized
before release; if the equipment cannot be sanitized, the
equipment remains within the facility or is destroyed, unless
an appropriate organization official explicitly authorizes an
exception.
MA-3 (4) Maintenance Tools: The organization employs automated

mechanisms to restrict the use of maintenance tools to
authorized personnel only.
MA-4 Remote Maintenance: The organization authorizes,

monitors, and controls any remotely executed maintenance
and diagnostic activities, if employed.
MA-4 (1) Remote Maintenance: The organization audits all remote

maintenance and diagnostic sessions and appropriate
organizational personnel review the maintenance records of
the remote sessions.
MA-4 (2) Remote Maintenance: The organization addresses the

installation and use of remote maintenance and diagnostic
links in the security plan for the information system.
MA-4 (3) Remote Maintenance: The organization does not allow

remote maintenance or diagnostic services to be performed
by a provider that does not implement for its own information
system, a level of security at least as high as that
implemented on the system being serviced, unless the
component being serviced is removed from the information
system and sanitized (with regard to organizational
information) before the service begins and also sanitized
(with regard to potentially malicious software) after the
service is performed and before being reconnected to the
information system.
MA-5 Maintenance Personnel: The organization allows only

authorized personnel to perform maintenance on the
information system
MA-6 Timely Maintenance: The organization obtains

maintenance support and spare parts for [Assignment:
organization-defined list of key information system
components] within [Assignment: organization-defined time
period] of failure.

B10 System and Information Integrity (SI)
The status of system and information integrity controls for the [System Name] is as indicated in the
following table:
Applicable
Planned
In Place
Control
Not
SI-1 System and Information Integrity Policy and Procedures:

The organization develops, disseminates, and periodically
reviews/updates: (i) a formal, documented, system and
information integrity policy that addresses purpose, scope,
roles, responsibilities, management commitment,
coordination among organizational entities, and compliance;
and (ii) formal, documented procedures to facilitate the
implementation of the system and information integrity policy
and associated system and information integrity controls.
SI-2 Flaw Remediation: The organization identifies, reports,

and corrects information system flaws.
SI-2 (1) Flaw Remediation: The organization centrally manages the

flaw remediation process and installs updates automatically.
SI-2 (2) Flaw Remediation: The organization employs automated

mechanisms to periodically and upon demand determine the
state of information system components with regard to flaw
remediation.
SI-3 Malicious Code Protection: The information system

implements malicious code protection..
SI-3 (1) Malicious Code Protection: The organization centrally

manages malicious code protection mechanisms.
SI-3 (2) Malicious Code Protection: The information system

automatically updates malicious code protection
mechanisms.
SI-4 Intrusion Detection Tools and Techniques: The

organization employs tools and techniques to monitor
events on the information system, detect attacks, and
provide identification of unauthorized use of the system.
SI-4 (1) Intrusion Detection Tools and Techniques: The

Applicable
Planned
In Place
Control
Not
organization interconnects and configures individual intrusion

detection tools into a system-wide intrusion detection system
using common protocols.

organization employs automated tools to support near-real-
time analysis of events.

organization employs automated tools to integrate intrusion
detection tools into access control and flow control
mechanisms for rapid response to attacks by enabling
reconfiguration of these mechanisms in support of attack
isolation and elimination.

information system monitors inbound and outbound
communications for unusual or unauthorized activities or
conditions.

information system provides a real-time alert when the
following indications of compromise or potential compromise
occur: [Assignment: organization-defined list of compromise
indicators].
SI-5 Security Alerts and Advisories: The organization

receives information system security alerts/advisories on a
regular basis, issues alerts/advisories to appropriate
personnel, and takes appropriate actions in response.
SI-5 (1) Security Alerts and Advisories: The organization employs

automated mechanisms to make security alert and advisory
information available throughout the organization as needed.
SI-6 Security Functionality Verification: The information

system verifies the correct operation of security functions
[Selection (one or more): upon system startup and restart,
upon command by user with appropriate privilege,
periodically every [Assignment: organization-defined time-
period]] and [Selection (one or more): notifies system
administrator, shuts the system down, restarts the system]
when anomalies are discovered.
SI-6 (1) Security Functionality Verification: The organization

employs automated mechanisms to provide notification of
failed automated security tests.

Applicable
Planned
In Place
Control
Not
SI-6 (2) Security Functionality Verification: The organization

employs automated mechanisms to support management of
distributed security testing.
SI-7 Software and Information Integrity: The information

system detects and protects against unauthorized changes
to software and information.
SI-7 (1) Software and Information Integrity: The organization

reassesses the integrity of software and information by
performing [Assignment: organization-defined frequency]
integrity scans of the system.

employs automated tools that provide notification to
appropriate individuals upon discovering discrepancies
during integrity verification.

employs centrally managed integrity verification tools.
SI-8 Spam and Spyware Protection: The information system

implements spam protection.
SI-8 (1) Spam and Spyware Protection: The organization centrally

manages spam protection mechanisms.
SI-8 (2) Spam and Spyware Protection: The information system

automatically updates spam protection mechanisms.
SI-9 Information Input Restrictions: The organization restricts

the capability to input information to the information system
to authorized personnel.
SI-10 Information Input Accuracy, Completeness, and

Validity: The information system checks information for
accuracy, completeness, validity, and authenticity.
SI-11 Error Handling: The information system identifies and

handles error conditions in an expeditious manner without
providing information that could be exploited by adversaries.
SI-12 Output Handling and Retention: The organization

handles and retains output from the information system in
accordance with applicable laws, Executive Orders,
directives, policies, regulations, standards, and operational
requirements.

B11 Media Protection (MP)
The status of media protection controls for the [System Name] is as indicated in the following table:
Applicable
Planned
In Place
Control
Not
MP-1 Media Protection Policy and Procedures: The

reviews/updates: (i) a formal, documented, media protection
the media protection policy and associated media protection
controls.
MP-2 Media Access: The organization restricts access to

information system media to authorized individuals.
MP-2 (1) Media Access: The organization employs automated

mechanisms to restrict access to media storage areas and to
audit access attempts and access granted.
MP-3 Media Labeling: The organization: (i) affixes external

labels to removable information system media and
information system output indicating the distribution
limitations, handling caveats and applicable security
markings (if any) of the information; and (ii) exempts
[Assignment: organization-defined list of media types or
hardware components] from labeling so long as they remain
within[Assignment: organization-defined protected
environment].
MP-4 Media Storage: The organization physically controls and

securely stores information system media within controlled
areas.
MP-5 Media Transport: The organization protects and controls

information system media during transport outside of
controlled areas and restricts the activities associated with
transport of such media to authorized personnel.
MP-5 (1) Media Transport: The organization protects digital and

non-digital media during transport outside of controlled areas

Applicable
Planned
In Place
Control
Not
using [Assignment: organization-defined security measures,

e.g., locked container, cryptography].
MP-5 (2) Media Transport: The organization documents, where

appropriate, activities associated with the transport of
information system media using [Assignment: organization-
defined system of records].
MP-5 (3) Media Transport: The organization employs an identified

custodian at all times to transport information system media.
MP-6 Media Sanitization and Disposal: The organization

sanitizes information system media, both digital and non-
digital, prior to disposal or release for reuse
MP-6 (1) Media Sanitization and Disposal: The organization tracks,

documents, and verifies media sanitization and disposal
actions.
MP-6 (2) Media Sanitization and Disposal: The organization

periodically tests sanitization equipment and procedures to
verify correct performance.
B12 Incident Response (IR)

The status of incident response controls for the [System Name] is as indicated in the following table:
Description of Control Applicable

Planned
In Place
Control
Not
IR-1 Incident Response Policy and Procedures: The

reviews/updates: (i) a formal, documented, incident
response policy that addresses purpose, scope, roles,
implementation of the incident response policy and
associated incident response controls.
IR-2 Incident Response Training: The organization trains

Applicable
Planned
In Place
Control
Not
personnel in their incident response roles and

responsibilities with respect to the information system and
provides refresher training [Assignment: organization-
defined frequency, at least annually].
IR-2 (1) Incident Response Training: The organization

incorporates simulated events into incident response training
to facilitate effective response by personnel in crisis
situations.
IR-2 (2) Incident Response Training: The organization employs

automated mechanisms to provide a more thorough and
realistic training environment.
IR-3 Incident Response Testing and Exercises: The

organization tests and/or exercises the incident response
capability for the information system [Assignment:
organization-defined frequency, at least annually] using
[Assignment: organization-defined tests and/or exercises] to
determine the incident response effectiveness and
documents the results.
IR-3 (1) Incident Response Testing and Exercises: The

organization employs automated mechanisms to more
thoroughly and effectively test/exercise the incident
response capability.
IR-4 Incident Handling: The organization implements an

incident handling capability for security incidents that
includes preparation, detection and analysis, containment,
eradication, and recovery.
IR-4 (1) Incident Handling: The organization employs automated

mechanisms to support the incident handling process.
IR-5 Incident Monitoring: The organization tracks and

documents information system security incidents on an
ongoing basis.
IR-5 (1) Incident Monitoring: The organization employs automated

mechanisms to assist in the tracking of security incidents and
in the collection and analysis of incident information.
IR-6 Incident Reporting: The organization promptly reports

incident information to appropriate authorities.
IR-6 (1) Incident Reporting: The organization employs automated

mechanisms to assist in the reporting of security incidents.

Applicable
Planned
In Place
Control
Not
IR-7 Incident Response Assistance: The organization

provides an incident response support resource that offers
advice and assistance to users of the information system for
the handling and reporting of security incidents. The support
resource is an integral part of the organization’s incident
response capability.
IR-7 (1) Incident Response Assistance: The organization employs

automated mechanisms to increase the availability of incident
response- related information and support.
B13 Awareness and Training (AT)

The status of awareness and training controls for the [System Name] is as indicated in the following
table:
Applicable
Planned
In Place
Control
Not
AT-1 Security Awareness and Training Policy and

Procedures: The organization develops, disseminates,
and periodically reviews/updates: (i) a formal, documented,
security awareness and training policy that addresses
purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities,
and compliance; and (ii) formal, documented procedures to
facilitate the implementation of the security awareness and
training policy and associated security awareness and
training controls
AT-2 Security Awareness: The organization provides basic

security awareness training to all information system
users (including managers and senior executives) before
authorizing access to the system, when required by
system changes, and [Assignment: organization-defined
frequency, at least annually] thereafter.
AT-3 Security Training: The organization identifies personnel

that have significant information system security roles and
responsibilities during the system development life cycle,

Applicable
Planned
In Place
Control
Not
documents those roles and responsibilities, and provides

appropriate information system security training: (i) before
authorizing access to the system or performing assigned
duties; (ii) when required by system changes; and (iii)
[Assignment: organization-defined frequency] thereafter.
AT-4 Security Training Records: The organization

documents and monitors individual information system
security training activities including basic security
awareness training and specific information system
security training.
AT-5 Contacts With Security Groups and Associations:

The organization establishes and maintains contacts with
special interest groups, specialized forums, professional
associations, news groups, and/or peer groups of security
professionals in similar organizations to stay up to date
with the latest recommended security practices,
techniques, and technologies and to share the latest
security-related information including threats,
vulnerabilities, and incidents.
B14-B17 TECHNICAL CONTROLS

This section describes the level of implementation of technical controls for the [System Name].
B14 Identification and Authentication (IA)

The status of identification and authentication controls for the [System Name] is as indicated in the
following table:
Applicable
Planned
In Place
Control
Not
IA-1 Identification and Authentication Policy and

Procedures: The organization develops, disseminates,
and periodically reviews/updates: (i) a formal, documented,
identification and authentication policy that addresses
purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities,

Applicable
Planned
In Place
Control
Not
and compliance; and (ii) formal, documented procedures to

facilitate the implementation of the identification and
authentication policy and associated identification and
authentication controls.
IA-2 User Identification and Authentication: The information

system uniquely identifies and authenticates users (or
processes acting on behalf of users).
IA-2 (1) User Identification and Authentication: The information

system employs multifactor authentication for remote system
access that is NIST Special Publication 800-63 [Selection:
organization-defined level 3, level 3 using a hardware
authentication device, or level 4] compliant.

system employs multifactor authentication for local system
access that is NIST Special Publication 800-63 [Selection:
organization-defined level 3 or level 4] compliant.

system employs multifactor authentication for remote system
access that is NIST Special Publication 800-63 level 4
compliant.
IA-3 Device Identification and Authentication: The

information system identifies and authenticates specific
devices before establishing a connection.
IA-4 Identifier Management: The organization manages user

identifiers by: (i) uniquely identifying each user; (ii) verifying
the identity of each user; (iii) receiving authorization to issue
a user identifier from an appropriate organization official; (iv)
issuing the user identifier to the intended party; (v) disabling
the user identifier after [Assignment: organization-defined
time period] of inactivity; and (vi) archiving user identifiers.
IA-5 Authenticator Management: The organization

manages information system authenticators by: (i)
defining initial authenticator content; (ii) establishing
administrative procedures for initial authenticator
distribution, for lost/compromised, or damaged
authenticators, and for revoking authenticators; (iii)
changing default authenticators upon information
system installation; and (iv) changing/refreshing
authenticators periodically.
IA-6 Authenticator Feedback: The information system

Applicable
Planned
In Place
Control
Not
obscures feedback of authentication information during the

authentication process to protect the information from
possible exploitation/use by unauthorized individuals.
IA-7 Cryptographic Module Authentication: The information

system employs authentication methods that meet the
requirements of applicable laws, Executive Orders,
directives, policies, regulations, standards, and guidance for
authentication to a cryptographic module.
B15 Access Control (AC)

The status of access controls for the [System Name] is as indicated in the following table:
Applicable
Planned
In Place
Control
Not
AC-1 Access Control Policy and Procedures: The

reviews/updates: (i) a formal, documented, access control
the access control policy and associated access controls.
AC-2 Account Management: The organization manages

information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing
accounts. The organization reviews information system
accounts [Assignment: organization-defined frequency, at
least annually].
AC-2 (1) Account Management: The organization employs

automated mechanisms to support the management of
information system accounts.
AC-2 (2) Account Management: The information system

automatically terminates temporary and emergency accounts

Applicable
Planned
In Place
Control
Not
after [Assignment: organization-defined time period for each

type of account].
AC-2 (3) Account Management: The information system

automatically disables inactive accounts after [Assignment:
organization- defined time period].
AC-2 (4) Account Management: The organization employs

automated mechanisms to audit account creation,
modification, disabling, and termination actions and to notify,
as required, appropriate individuals.
AC-3 Access Enforcement: The information system enforces

assigned authorizations for controlling access to the system
in accordance with applicable policy.
AC-3 (1) Access Enforcement: The information system restricts

access to privileged functions (deployed in hardware,
software, and firmware) and security-relevant information to
explicitly authorized personnel.
AC-4 Information Flow Enforcement: The information

system enforces assigned authorizations for controlling
the flow of information within the system and between
interconnected systems in accordance with applicable
policy.
AC-4 (1) Information Flow Enforcement: The information system

implements information flow control enforcement using
explicit labels on information, source, and destination
objects as a basis for flow control decisions.

protected processing domains (e.g., domain type-
enforcement) as a basis for flow control decisions.

dynamic security policy mechanisms as a basis for
flow control decisions.
AC-5 Separation of Duties: The information system

enforces separation of duties through assigned
access authorizations.
AC-6 Least Privilege: The information system enforces the most

restrictive set of rights/privileges or accesses needed by
users (or processes acting on behalf of users) for the
performance of specified tasks.

Applicable
Planned
In Place
Control
Not
AC-7 Unsuccessful Logon Attempts: The information system

enforces a limit of [Assignment: organization-defined
number] consecutive invalid access attempts by a user
during a [Assignment: organization-defined time period]
time period. The information system automatically
[Selection: locks the account/node for an [Assignment:
organization-defined time period], delays next login prompt
according to [Assignment: organization-defined delay
algorithm.]] when the maximum number of unsuccessful
attempts is exceeded.
AC-7 (1) Unsuccessful Logon Attempts: The information system

automatically locks the account/node until released by an
administrator when the maximum number of unsuccessful
attempts is exceeded.
AC-8 System Use Notification: The information system displays

an approved, system use notification message before
granting system access informing potential users: (i) that the
user is accessing a U.S. Government information system; (ii)
that system usage may be monitored, recorded, and subject
to audit; (iii) that unauthorized use of the system is
prohibited and subject to criminal and civil penalties; and (iv)
that use of the system indicates consent to monitoring and
recording. The system use notification message provides
appropriate privacy and security notices (based on
associated privacy and security policies or summaries) and
remains on the screen until the user takes explicit actions to
log on to the information system.
AC-9 Previous Logon Notification: The information system

notifies the user, upon successful logon, of the date and
time of the last logon, and the number of unsuccessful logon
attempts since the last successful logon.
AC-10 Concurrent Session Control: The information system limits the

number of concurrent sessions for any user to [Assignment:
organization-defined number of sessions.
AC-11 Session Lock: The information system prevents further

access to the system by initiating a session lock after
[Assignment: organization-defined time period] of inactivity,
and the session lock remains in effect until the user
reestablishes access using appropriate identification and
authentication procedures.
AC-12 Session Termination: The information system

automatically terminates a remote session after

Applicable
Planned
In Place
Control
Not
[Assignment: organization-defined time period] of inactivity.
AC-12 (1) Session Termination: Automatic session termination

applies to local and remote sessions.
AC-13 Supervision and Review—Access Control: The

organization supervises and reviews the activities of users
with respect to the enforcement and usage of information
system access controls.
AC-13 (1) Supervision and Review—Access Control: The

organization employs automated mechanisms to facilitate
the review of user activities.
AC-14 Permitted Actions w/o Identification or Authentication:

The organization identifies and documents specific user
actions that can be performed on the information system
without identification or authentication.
AC-14 (1) Permitted Actions w/o Identification or Authentication:

The organization permits actions to be performed without
identification and authentication only to the extent necessary
to accomplish mission objectives.
AC-15 Automated Marking: The information system marks output

using standard naming conventions to identify any special
dissemination, handling, or distribution instructions.
AC-16 Automated Labeling: The information system

appropriately labels information in storage, in process, and
in transmission.
AC-17 Remote Access: The organization authorizes, monitors,

and controls all methods of remote access to the information
system.
AC-17 (1) Remote Access: The organization employs automated

mechanisms to facilitate the monitoring and control of remote
access methods.
AC-17 (2) Remote Access: The organization uses cryptography to

protect the confidentiality and integrity of remote access
sessions.
AC-17 (3) Remote Access: The organization controls all remote

accesses through a limited number of managed access
control points.

Applicable
Planned
In Place
Control
Not
AC-17 (4) Remote Access: The organization permits remote access

for privileged functions only for compelling operational needs
and documents the rationale for such access in the security
plan for the information system.
AC-18 Wireless Access Restrictions: The organization: (i)

establishes usage restrictions and implementation guidance
for wireless technologies; and (ii) authorizes, monitors,
controls wireless access to the information system.
AC-18 (1) Wireless Access Restrictions: The organization uses

authentication and encryption to protect wireless access to
the information system.
AC-18 (2) Wireless Access Restrictions: The organization scans for

unauthorized wireless access points [Assignment:
organization-defined frequency] and takes appropriate action
if such an access points are discovered.
AC-19 Access Control for Portable and Mobile Systems: The

organization: (i) establishes usage restrictions and
implementation guidance for organization-controlled
portable and mobile devices; and (ii) authorizes, monitors,
and controls device access to organizational information
systems.
AC-20 Use of External Information Systems: The organization

establishes terms and conditions for authorized individuals
to: (i) access the information system from an external
information system; and (ii) process, store, and/or transmit
organization-controlled information using an external
information system.
AC-20 (1) Use of External Information Systems: The organization

prohibits authorized individuals from using an external
information system to access the information system or to
process, store, or transmit organization-controlled information
except in situations where the organization: (i) can verify the
employment of required security controls on the external
system as specified in the organization’s information security
policy and system security plan; or (ii) has approved
information system connection or processing agreements
with the organizational entity hosting the external information
system.

B16 Audit and Accountability (AU)
The status of audit and accountability controls for the [System Name] is as indicated in the following
table:
Applicable
Planned
In Place
Control
Not
AU-1 Audit and Accountability Policy and Procedures: The

reviews/updates: (i) a formal, documented, audit and
accountability policy that addresses purpose, scope, roles,
implementation of the audit and accountability policy and
associated audit and accountability controls.
AU-2 Auditable Events: The information system generates audit

records for the following events: [Assignment: organization-
defined auditable events]
AU-2 (1) Auditable Events: The information system provides the

capability to compile audit records from multiple components
throughout the system into a system-wide (logical or
physical), time-correlated audit trail.
AU-2 (2) Auditable Events: The information system provides the

capability to manage the selection of events to be audited by
individual components of the system.
AU-2 (3) Auditable Events: The organization periodically reviews

and updates the list of organization-defined auditable events.
AU-3 Content of Audit Records: The information system

produces audit records that contain sufficient information to
establish what events occurred, the sources of the events,
and the outcomes of the events.
AU-3 (1) Content of Audit Records: The information system

provides the capability to include additional, more detailed
information in the audit records for audit events identified by
type, location, or subject.
AU-3 (2) Content of Audit Records: The information system

provides the capability to centrally manage the content of
audit records generated by individual components

Applicable
Planned
In Place
Control
Not
throughout the system.
AU-4 Audit Storage Capacity: The organization allocates

sufficient audit record storage capacity and configures
auditing to reduce the likelihood of such capacity being
exceeded.
Response To Audit Processing Failures: The
AU-5
information system alerts appropriate organizational officials
in the event of an audit processing failure and takes the
following additional actions: [Assignment: organization-
defined actions to be taken (e.g., shut down information
system, overwrite oldest audit records, stop generating audit
records)].
AU-5 (1) Response To Audit Processing Failures: The information
system provides a warning when allocated audit record
storage volume reaches [Assignment: organization-defined
percentage of maximum audit record storage capacity].
AU-5 (2) Response To Audit Processing Failures: The information

system provides a real-time alert when the following audit
failure events occur: [Assignment: organization-defined audit
failure events requiring real-time alerts].
AU-6 Audit Monitoring, Analysis, and Reporting: The

organization regularly reviews/analyzes information system
audit records for indications of inappropriate or unusual
activity, investigates suspicious activity or suspected
violations, reports findings to appropriate officials, and takes
necessary actions.
AU-6 (1) Audit Monitoring, Analysis, and Reporting: The

organization employs automated mechanisms to integrate
audit monitoring, analysis, and reporting into an overall
process for investigation and response to suspicious
activities.
AU-6 (2) Audit Monitoring, Analysis, and Reporting: The

organization employs automated mechanisms to alert
security personnel of the following inappropriate or unusual
activities with security implications: [Assignment:
organization-defined list of inappropriate or unusual activities
that are to result in alerts.
AU-7 Audit Reduction and Report Generation: The information

system provides an audit reduction and report generation
capability.
AU-7 (1) Place Holder: The information system provides the

capability to automatically process audit records for events of

Applicable
Planned
In Place
Control
Not
interest based upon selectable, event criteria.
AU-8 Time Stamps: The information system provides time

stamps for use in audit record generation.
AU-8 (1) Time Stamps: The organization synchronizes internal

information system clocks [Assignment: organization- defined
frequency].
AU-9 Protection of Audit Information: The information system

protects audit information and audit tools from unauthorized
access, modification, and deletion.
AU-9 (1) Protection of Audit Information: The information system

produces audit records on hardware-enforced, write-once
media.
AU-10 Non-repudiation: The information system provides the

capability to determine whether a given individual took a
particular action.
AU-11 Audit Retention: The organization retains audit records for

[Assignment: organization-defined time period] to provide
support for after-the-fact investigations of security incidents
and to meet regulatory and organizational information
retention requirements.
B17 System and Communications Protection (SC)

The status of system and communications protection controls for the [System Name] is as indicated in
the following table:
[Use the Not Applicable column to identify the controls applicable to the system. A=all systems;
MH=Moderate and High systems; H=high systems only. Mark those that are not applicable as “NA”; do
not delete them.]
Applicable
Planned
In Place
Control
Not
SC-1 System & Communications Protection Policy &

Procedures: The organization develops, disseminates, and
periodically reviews/updates: (i) a formal, documented,
system and communications protection policy that
addresses purpose, scope, roles, responsibilities,

Applicable
Planned
In Place
Control
Not

the system and communications protection policy and
associated system and communications protection controls.
SC-2 Application Partitioning: The information system

separates user functionality (including user interface
services) from information system management functionality.
SC-3 Security Function Isolation: The information system

isolates security functions from non-security functions.
SC-3 (1) Security Function Isolation: The information system

employs underlying hardware separation mechanisms to
facilitate security function isolation.

isolates critical security functions (i.e., functions enforcing
access and information flow control) from both non-security
functions and from other security functions.

minimizes the number of non-security functions included
within the isolation boundary containing security functions.

security functions are implemented as largely independent
modules that avoid unnecessary interactions between
modules.

security functions are implemented as a layered structure
minimizing interactions between layers of the design and
avoiding any dependence by lower layers on the functionality
or correctness of higher layers.
SC-4 Information Remnants: The information system prevents

unauthorized and unintended information transfer via shared
system resources.
SC-5 Denial of Service Protection: The information system

protects against or limits the effects of the following types of
denial of service attacks: [Assignment: organization-defined
list of types of denial of service attacks or reference to
source for current list].

Applicable
Planned
In Place
Control
Not
SC-5 (1) Denial of Service Protection: The information system

restricts the ability of users to launch denial of service attacks
against other information systems or networks.
SC-5 (2) Denial of Service Protection: The information system

manages excess capacity, bandwidth, or other redundancy to
limit the effects of information flooding types of denial of
service attacks.
SC-6 Resource Priority: The information system limits the use

of resources by priority.
SC-7 Boundary Protection: The information system monitors

and controls communications at the external boundary of
the information system and at key internal boundaries within
the system.
SC-7 (1) Boundary Protection: The organization physically

allocates publicly accessible information system components
to separate sub-networks with separate, physical network
interfaces.
SC-7 (2) Boundary Protection: The organization prevents public

access into the organization’s internal networks except as
appropriately mediated.
SC-7 (3) Boundary Protection: The organization limits the number

of access points to the information system to allow for better
monitoring of inbound and outbound network traffic.
SC-7 (4) Boundary Protection: The organization implements a

managed interface (boundary protection devices in an
effective security architecture) with any external
telecommunication service, implementing controls
appropriate to the required protection of the confidentiality
and integrity of the information being transmitted.
SC-7 (5) Boundary Protection: The information system denies

network traffic by default and allows network traffic by
exception (i.e., deny all, permit by exception).
SC-7 (6) Boundary Protection: The organization prevents the

unauthorized release of information outside of the information
system boundary or any unauthorized communication
through the information system boundary when there is an
operational failure of the boundary protection mechanisms.

Applicable
Planned
In Place
Control
Not
SC-8 Transmission Integrity: The information system protects

the integrity of transmitted information.
SC-8 (1) Transmission Integrity: The organization employs

cryptographic mechanisms to recognize changes to
information during transmission unless otherwise protected
by alternative physical measures.
SC-9 Transmission Confidentiality: The information system

protects the confidentiality of transmitted information.
SC-9 (1) Transmission Confidentiality: The organization employs

cryptographic mechanisms to prevent unauthorized
disclosure of information during transmission unless
otherwise protected by alternative physical measures.
SC-10 Network Disconnect: The information system terminates a

network connection at the end of a session or after
[Assignment: organization-defined time period] of inactivity.
SC-11 Trusted Path: The information system establishes a

trusted communications path between the user and the
following security functions of the system: [Assignment:
organization-defined security functions to include at a
minimum, information system authentication and re-
authentication].
SC-12 Cryptographic Key Establishment and Management:

When cryptography is required and employed within the
information system, the organization establishes and
manages cryptographic keys using automated mechanisms
with supporting procedures or manual procedures.
SC-13 Use of Cryptography: For information requiring

cryptographic protection, the information system implements
cryptographic mechanisms that comply with applicable laws,
Executive Orders, directives, policies, regulations,
standards, and guidance.
SC-14 Public Access Protections: The information system

protects the integrity and availability of publicly available
information and applications.
SC-15 Collaborative Computing: The information system

prohibits remote activation of collaborative computing
mechanisms and provides an explicit indication of use to the
local users.

Applicable
Planned
In Place
Control
Not
SC-15 (1) Collaborative Computing: The information system

provides physical disconnect of camera and microphone in a
manner that supports ease of use.
SC-16 Transmission of Security Parameters: The information

system reliably associates security parameters with
information exchanged between information systems.
SC-17 Public Key Infrastructure Certificates: The organization

issues public key certificates under an appropriate certificate
policy or obtains public key certificates under an appropriate
certificate policy from an approved service provider.
SC-18 Mobile Code: The organization: (i) establishes usage

restrictions and implementation guidance for mobile code
technologies based on the potential to cause damage to the
information system if used maliciously; and (ii) authorizes,
monitors, and controls the use of mobile code within the
information system.
SC-19 Voice Over Internet Protocol: The organization: (i)

establishes usage restrictions and implementation guidance
for Voice over Internet Protocol (VoIP) technologies based
on the potential to cause damage to the information system
if used maliciously; and (ii) authorizes, monitors, and
controls the use of VoIP within the information system.
SC-20 Secure Name/Address Resolution Service (authoritative

Source): The information system that provides
name/address resolution service provides additional data
origin and integrity artifacts along with the authoritative data
it returns in response to resolution queries.
SC-20 (1) Secure Name/Address Resolution Service

(Authoritative Source): The information system, when
operating as part of a distributed, hierarchical namespace,
provides the means to indicate the security status of child
subspaces and (if the child supports secure resolution
services) enable verification of a chain of trust among parent
and child domains.
SC-21 Secure Name/Address Resolution Service (Recursive or

Caching Resolver): : The information system that
provides name/address resolution service for local clients
performs data origin authentication and data integrity
verification on the resolution responses it receives from
authoritative sources when requested by client systems.

Applicable
Planned
In Place
Control
Not
SC-21 (1) Secure Name/Address Resolution Service (Recursive or

Caching Resolver): The information system performs data
origin authentication and data integrity verification on all
resolution responses whether or not local clients explicitly
request this service.
SC-22 Architecture and Provisioning for Name/Address

Resolution Service: The information systems that
collectively provide name/address resolution service for an
organization are fault tolerant and implement role
separation.
SC-23 Session Authenticity: The information system provides

mechanisms to protect the authenticity of communications
sessions.

Appendix A – [SYSTEM NAME] Rules of Behavior
Below is a template for writing Rules of Behavior (ROB) for your organization. National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-18 recommends that the ROB be
included in the System Security Plan (SSP) as an appendix such as this.
1. Responsibilities
Discussion: In this section, you will need to describe what ROB are, why they are needed, what users
can expect, and the consequences for violating ROB. Sample language for completing this section is
provided below.
Sample Language:
What are Rules of Behavior?
It is recommended that every System Security Plan (SSP) to contain a Rules of Behavior (ROB). ROB
apply to the system users and list specific responsibilities and expected behavior of all individuals with
access to or use of the named information system. In addition, ROB outlines the consequences of non-
compliance and/or violations.
Why are Rules of Behavior Needed?
ROB is part of a complete program to provide good information security and raise security awareness.
ROB describes standard practices needed to ensure safe, secure, and reliable use of information and
information systems.
Who is Covered by the Rules of Behavior?
The ROB covers all government and non-government users of the named information systems. This
includes contract personnel and other funded users.
What are the Consequences for Violating the Rules of Behavior?
Penalties for non-compliance may include, but are not limited to, a verbal or written warning, removal of
system access, reassignment to other duties, demotion, suspension, reassignment, termination, and
possible criminal and/or civil prosecution.
2. Application and Organization Rules
Discussion: In this section you will list the ROB measures that will apply to application users and the
organization in general. Section 3.1 lists the most common and minimal set of ROB as recommended by
NIST 800-18. Section 3.2 lists other ROB that may apply to your organization. Section 2h includes
ROB for system administrators. Each section is discussed in detail below.
Note: The sample ROB that appear below are very restrictive. It is understood that certain
organizations allow flexibility (i.e. computers may be used on a limited basis for personal use) and
therefore ROB should be adjusted accordingly. In addition, not all samples listed below will apply to
[Date Prepared] Page A-1

your system or organization. You may find it necessary to modify some samples to comply with your
specific needs and requirements.
Discussion: The following categories are the most common ROB. These categories are listed in NIST
800-18 as the “minimal” recommended set of ROB that an organization should have. Sample language
for each category is provided below.
Sample Language:
1. Passwords
1. Passwords should be a minimum of eight characters, and be a combination of letters, numbers
and special characters (such as *#$ %). Dictionary words should not be used.
2. Passwords will be changed at least every 90 days and should never be repeated. Compromised
passwords will be changed immediately.
3. Passwords must be unique to each user and must never be shared by that user with other users.
For example, colleagues sharing office space must never share each other’s password to gain
system access.
4. Users who require multiple passwords should never be allowed to use the same password for
multiple applications.
5. Passwords must never be stored in an unsecured location. Preferably, passwords should be
memorized. If this is not possible, passwords should be kept in an approved storage device, such
as a Government Services Administration Security Container. If they are stored on a computer,
this computer should not be connected to a network or the Internet. The file should be
encrypted.
B. Encryption
1. Extremely sensitive data should be encrypted prior to transmission.
2. The sensitivity of the information needing protection, among other considerations, determines
the sophistication of the encryption technology. In most circumstances, only the most sensitive
or compartmentalized information should be encrypted.
3. Files that contain passwords, proprietary, personnel, or business information, and financial data
typically require encryption before transmission, and should be encrypted while stored on the
computer’s hard disk drive.
4. Sensitive information that travels over wireless networks and devices should be encrypted.
1. Internet Usage
1. Downloading files, programs, templates, images, and messages, except those explicitly
authorized and approved by the system administrator, is prohibited.
2. Visiting websites including, but not limited to, those that promote, display, discuss, share, or
distribute hateful, racist, pornographic, explicit, or illegal activity is strictly prohibited.
3. Because they pose a potential security risk, the use of Web based instant messaging or
communication software or devices are prohibited.
4. Using the Internet to make non-work related purchases or acquisitions is prohibited.

5. Using the Internet to manage, run, supervise, or conduct personal business enterprises is
prohibited.
D. Email
1. Except for limited personal use, non-work-related e-mail is prohibited. The dissemination of e-
mail chain letters, e-mail invitations, or e-mail cards is prohibited.
2. E-mail addresses and e-mail list-serves constitute sensitive information and are never to be sold,
shared, disseminated, or used in any unofficial manner.
3. Using an official e-mail address to subscribe to any non-work related electronically distributed
newsletter or magazine is prohibited.
E. Working from Home/Remote Dial-up Access
1. Users may dial into the network remotely only if pre-approved by the system administrator.
2. Users must be certain to log-off and secure all connections/ports upon completion.
3. Users who work from home must ensure a safe and secure working environment free from
unauthorized visitors. At no time should a “live” dial-up connection be left unattended.
4. Web browsers must be configured to limit vulnerability to an intrusion and increase security.
5. Home users connected to the Internet via a broadband connection (e.g. DSL or a cable-modem)
must install a hardware or software firewall.
6. No official material may be stored on the user’s personal computer. All data must be stored on a
floppy disk and then secured in a locked filing cabinet, locker, etc.
7. Operating system configurations should be selected to increase security.
F. Unofficial Use of Government Equipment

Except for limited personal use, government equipment including, but not limited to, fax machines,
copying machines, postage machines, telephones, and computers are for official use only.
G. Other Rules of Behavior
Discussion: Section 3 lists the most common ROB categories as recommended by NIST 800-18.
However, there are other ROB, which may apply to your organization. You will want to include these
rules here, in Section 3. Note: It is not necessary to begin a new section or to differentiate between the
types of rules (i.e. “most common” vs. “other”).
These additional ROB that may apply appear below.
1. Using system resources to copy, distribute, utilize, or install unauthorized copyrighted material
is prohibited.
2. Users who no longer require IT system access (as a result of job change, job transfer, or
reassignment of job responsibilities) must notify the system administrator.
3. When not in use, workstations must be physically secured. Users must also log-off or turn-off
the system.

4. Screen-savers must be password protected.
5. Movable media (such as diskettes, CD-ROMs, Zip disks, and thumb drives) that contain
sensitive and/or official information must be secured when not in use.
6. Altering code, introducing malicious content, denying service, port mapping, engaging a
network sniffer, or tampering with another person’s account is prohibited.
7. If a user is locked out of the system, the user should not attempt to log-on as someone else.
Rather, the user should contact the system administrator.
H. Additional Rules of Behavior for System Administrators
Note: This section only applies to system administrators. If you are writing a ROB for system users, you
may skip this section and continue to Section 3.
Discussion: system administrators have a unique responsibility above and beyond that of regular users.
In addition to being regular system users, they also have special access privileges that regular users do
not have. Therefore, they need to be susceptible to additional ROB over and above the common user.
System User vs. System Administrator Option: You may find it easier to create two separate ROB
documents – one for system users and the other for system administrators. The system users ROB would
include sections 3.1 and 3.2 only, while the “system administrators” ROB would include sections 3.1-
3.3. Alternatively, you could create one ROB document noting that this section would only apply to
system administrators.
Sample Rules of Behavior Language for System Administrators:
1. System administrators may only access or view user accounts with the expressed consent of
the user and/or management.
2. System administrators may not track or audit user accounts without the expressed consent of
the user and/or management.
3. System administrators must make every reasonable effort to keep the network free from
viruses, worms, Trojans, and unauthorized penetrations.
4. It is the system administrators’ responsibility to account for all system hardware and
software loaned to system users for the execution of their official duties.
3. Acknowledgment
Discussion: In this section, you will create a signature page. Prior to receiving authorization for system
access, every user should read and sign the ROB (this includes system administrators since they are also
“users” of the system). By signing the signature page, the user agrees to abide by the ROB and
understands that failure to do so might be grounds for disciplinary action.
Ensure that users retain a copy of their signed ROB for their records.
I have read and understand the Rules of Behavior governing my use of System Name and agree to
abide by them. I understand that failure to do so may result in disciplinary action being brought
against me.

User Name (please print) _____________________________________
User Signature_____________________________________________
Organization_______________________________________________
Date_____________________________________________________

INDEX
Applicable Laws or Regulations Affecting the NIST Special Publication (SP) 800-26, Security
System...........................................................6 Self-Assessment Guide for Information
Audit Trails....................................................43 Technology...................................................vi
Authorize Processing (C&A)..........................19 Office of Management and Budget (OMB)
Availability....................................6, 7, 8, 10, 13 Circular A-130......................................vi, 4, 1
Computer Security Act of 1987........................vi Operational Controls.......................................20
Confidentiality...............................6, 7, 8, 10, 12 Operational Status.............................................2
Contact(s)..........................................................1 Password.......................................................2, 3
Data Integrity...................................................32 Personnel Security.........................................20
Description/Purpose..........................................3 Physical and Environmental Protection...........22
Documentation.................................................vi Rules of Behavior..................................5, 1, 3, 4
Encryption........................................................2 Security Controls................................vi, 5, 9, 12
Identification and Authentication....................38 Security Responsibility......................................2
Information Categories......................................7 Sensitivity............................................4, 6, 7, 12
Integrity.........................................6, 7, 8, 10, 13 System Environment.........................................3
Logical Access Controls..................................40 System Identification...................................1, 14
Management Controls.....................................15 System Interconnection/Information Sharing....4
Management of Federal Information Resources System Security Plan........................................vi
and Public Law 100-235...............................vi Technical Controls...........................................38
NIST Special Publication (SP) 800-18, Guide
for Developing Security Plans for
Information Technology Systems................vi
[Date Prepared] Page B-1

141765950HUD System Security Plan Template v.1P 20090518

Uploaded by

Copyright:

Available Formats

141765950HUD System Security Plan Template v.1P 20090518

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

141765950HUD System Security Plan Template v.1P 20090518

Uploaded by

Copyright:

Available Formats

SYSTEM SECURITY PLAN

“Enter Entity Name Here”

SYSTEM SECURITY PLAN TEMPLATE

[Date Prepared] Page ii

Name: Signature Date

Name: Signature Date

Name: Signature Date

[Date Prepared] Page iii

Approval Date Name of Security Officer Signature of Security Officer

[Date Prepared] Page iv

Issue Date Pages Affected Description

Original MM/DD/YYYY All Initial Draft Version

[Date Prepared] Page v

 Identify here each significant risk finding.

 Identify here each significant risk finding.

 Identify here each significant risk finding.

[Date Prepared] Page vi

A1.2 Responsible Organization

Example: Office of Financial Management

The System is maintained by:

A1.3 Information Contact(s)

[Date Prepared] Page 1

A1.4 Assignment of Security Responsibility

[Date Prepared] Page 2

StarrFW, Application5 & Application3.

 The application is processed at a facility outside of the organization's control; or

 The general support mainframe has dial-up lines.

[Date Prepared] Page 3

[Insert System Diagram Here]

A5 SYSTEM INTERCONNECTION/INFORMATION SHARING

A written management authorization (often in the form of a Memorandum of Understanding or

List of interconnected systems (including Internet);

[Date Prepared] Page 4

A6 SENSITIVITY OF INFORMATION HANDLED

[Date Prepared] Page 5

Data stored, processed, or transported by computer or telecommunications resources, the inaccuracy,

 Would have an IRREPARABLE IMPACT on Major Application (MA) or General Support

Data stored, processed, or transported by computer or telecommunications resources, the inaccuracy,

 Could result in LOSS OF SIGNIFICANT TANGIBLE ASSETS or resources

Data stored, processed, or transported by computer or telecommunications resources, the inaccuracy,

 Would have a MINIMAL IMPACT on MA or GSS missions, functions, image, or reputation,

 Could result in LOSS OF SOME TANGIBLE ASSETS or resources

A6.1 Applicable Laws or Regulations Affecting the System

[Date Prepared] Page 6

A6.2 General Description of Information Sensitivity

Exhibit 2: Information Categories

[Date Prepared] Page 7

Information related to personnel, medical,

Information related to financial information  Confidentiality – [describe why the

 Confidentiality – [describe why the

[Date Prepared] Page 8

Information related to investigations for law  Confidentiality – [describe why the

 Confidentiality – [describe why the

 Availability – [describe why the

 Confidentiality – [describe why the

 Confidentiality – [describe why the

 Availability – [describe why the

[Date Prepared] Page 9

 Confidentiality – [describe why the

 Integrity – [describe why the