03.15.02 System Security Plan

This policy outlines the requirements for developing, maintaining, and protecting System Security Plans (SSPs) for all systems processing, storing, or transmitting Controlled Unclassified Information (CUI). The SSP serves as a critical document for identifying and mitigating risks to CUI and ensuring the confidentiality, integrity, and availability of the system and its associated data.

• A.03.15.02.ODP[01]: the frequency at which the system security plan is reviewed and updated is defined.
• A.03.15.02.a.01: a system security plan that defines the constituent system components is developed.
• A.03.15.02.a.02: a system security plan that identifies the information types processed, stored, and transmitted by the system is developed.
• A.03.15.02.a.03: a system security plan that describes specific threats to the system that are of concern to the organization is developed.
• A.03.15.02.a.04: a system security plan that describes the operational environment for the system and any dependencies on or connections to other systems or system components is developed.
• A.03.15.02.a.05: a system security plan that provides an overview of the security requirements for the system is developed.
• A.03.15.02.a.06: a system security plan that describes the safeguards in place or planned for meeting the security requirements is developed.
• A.03.15.02.a.07: a system security plan that identifies individuals that fulfill system roles and responsibilities is developed.
• A.03.15.02.a.08: a system security plan that includes other relevant information necessary for the protection of CUI is developed.
• A.03.15.02.b[01]: the system security plan is reviewed <A.03.15.02.ODP[01]: frequency>.
• A.03.15.02.b[02]: the system security plan is updated <A.03.15.02.ODP[01]: frequency>.
• A.03.15.02.c: the system security plan is protected from unauthorized disclosure.