FedRAMP SystemSecurity Plan (SSP)Required DocumentsPresented by: FedRAMP [email protected]

What Does This Course Cover?This course is divided into three main parts:1FedRAMP InitialAuthorizationPackage ChecklistThis is an Excel checklist thatdetails the documents requiredfor a complete FedRAMP initialauthorization package.fedramp.gov2SSP OverviewThis section details the importance of the SSP withrespect to the overall security package.3Course Recap andQuiz The SSP Relationship with Other Documents The SSP Organization and SystemAuthorization Package Attributes SSP Organization and Scope Sections 1 - 12 of the SSP3

Course ObjectivesAt the conclusion of this course,you should understand: What documents are required for the FedRAMP initialauthorization package submission Why the system security plan is one of the essential documentsin the security package How to organize a system security planHow to develop clear, concise, consistent, and completeinformation within each section of a system security planfedramp.gov4

FedRAMP Initial AuthorizationPackage Checklist5

DocumentationFedRAMP is a documentation-heavy process The FedRAMP Program Management Office or PMO has created some templates for documents that the CSP must edit andmodify based on the security controls implemented in its system. Please note that FedRAMP does not have templates forall documents. You should become familiar with theses templates by searching for them on The templates provided by the FedRAMP PMO are intended to:𑁋 Standardize the security assessment process for agency reviews𑁋 Enable CSPs to move through the assessment process quickly𑁋 Enable agencies to more easily recognize where they can find important aspects of the systems used by agencies(some of these documents may be considered attachments to others, but are listed separately to enable easieruploading and tracking) Please note that if no template is provided, cloud service providers should follow the proper NIST standard (SpecialPublication (SP) 800 Series) to ensure required information is captured appropriately.fedramp.gov6

FedRAMP Initial Authorization Package ChecklistCloud Service Providers Documentation ResponsibilitiesSystem Security Plan (SSP) - Must be submitted in Word format and a PDFversionSSP ATTACHMENT 1 - Information Security Policies and Procedures(covering all control families)SSP ATTACHMENT 2 - User GuideSSP ATTACHMENT 3 - Digital Identity WorksheetSSP ATTACHMENT 4 - Privacy Threshold Analysis (PTA)SSP ATTACHMENT 4 - Privacy Impact Assessment (PIA) (if the answer to anyof the qualifying questions in the PTA is “Yes”, complete the PIA templateand submit it as an attachment to the SSP)SSP ATTACHMENT 7 - Configuration Management Plan (CMP)SSP ATTACHMENT 8 - Incident Response Plan (IRP)SSP ATTACHMENT 9 - Control Implementation Summary (CIS) WorkbookSSP ATTACHMENT 10 - Federal Information Processing Standard (FIPS) 199SSP ATTACHMENT 11 - Separation of Duties MatrixSSP ATTACHMENT 12 - Laws and Regulations (if additional system-specificlaws or regulations apply (e.g., HIPAA), include them)SSP ATTACHMENT 13 - Integrated Inventory WorkbookPlan of Action and Milestones (POA&M)SSP ATTACHMENT 5 - Rules of Behavior (RoB)Continuous Monitoring Strategy (required by CA-7)SSP ATTACHMENT 6 - Information System Contingency Plan (ISCP) (be sureto include the Contingency Plan Test Report in Appendix G of the ISCP)Continuous Monitoring Monthly Executive Summaryfedramp.gov7

FedRAMP Initial Authorization Package Checklist (cont.)Third Party Assessment Organizations Documentation ResponsibilitiesSecurity Assessment Plan (SAP)Security AssessmentSAR APPENDIX A - Risk Exposure TableMust be submitted in Word format; final versionscan be submitted in PDF, after a FedRAMPReport (SAR)SAR APPENDIX B - Security Test Case ProceduresMust be submitted in WordSAR APPENDIX C - Infrastructure Scan ResultsAuthorized designation is achievedformat; final versions can besubmitted in PDF, after aSAR APPENDIX D - Database Scan ResultsSAP APPENDIX A - Security Test CaseProceduresSAP APPENDIX B - Penetration Testing Planand MethodologySAP APPENDIX C - 3PAO Supplied Deliverables(e.g., Penetration Test Rules of Engagement,Sampling Methodology)fedramp.govFedRAMP Authorizeddesignation is achievedSAR APPENDIX E - Web Scan ResultsNOTE: Provide all fully authenticated infrastructure, database, andweb scans results generated by the scanner in a readable format.Do not provide files that require a scan license to read the file.Bundle scan results into one zip file.SAR APPENDIX I - Auxiliary Documents (e.g., evidence artifacts)SAR APPENDIX J - Penetration Test Report8

FedRAMP Initial Authorization Package Checklist (cont.)The Authorizing Official or AO Documentation Responsibilities There are two approaches to obtaining a FedRAMP authorization:𑁋 A provisional authorization through the Joint Authorization Board (JAB)𑁋 An authorization through an agency Either the JAB or agency is responsible for the Authorization To Operate Letter (ATO) letter. In the agency authorization path, agencies may work directly with a cloud service provider (CSP) for authorization at any time. CSPsthat make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agencythroughout the FedRAMP authorization process. For a JAB authorization, cloud service providers must submit a business case through the FedRAMP Connect process. FedRAMP may prioritize up to 12 CSOs for a JAB authorization per year.𑁋 In the business case provided to the FedRAMP Connect Team, the most important prioritization criteria is to demonstrategovernment-wide demand for the cloud service offering. Second, cloud service offerings who are FedRAMP Ready havepreference in prioritization.fedramp.gov9

SSP Overview10

Objectives of the SSPWhat is a SystemSecurity Plan orSSP? The system security plan provides an overview of the security requirements for a cloud serviceoffering. The system security plan describes the controls in place, or planned for implementation, toprovide a level of security appropriate for the information to be transmitted, processed, or stored fedramp.govby a system.The system security plan contains the:𑁋𑁋Authorization boundary diagramData flow diagram𑁋𑁋Types of inheritances from other FedRAMP leveraged systemsExternal services in use by the system (external services are other cloud services that are𑁋not FedRAMP authorized such as corporate services and external update services)Federally noted pieces that should be adequately described and secured. For instance: Development/test environmentsAny transport services Multi-factor authenticationAll alternate storage and processing sites11

System Security Plan Document AttachmentsThe SSP is aligned with the following attachments:FedRAMP does add emphasis tothese documents being carefully andthoughtfully created:IT Contingency Plan; IncidentResponse Plan; ConfigurationManagement Plan; Privacy ThresholdAnalysis/Privacy Impact Analysis;Control Implementation SummarySSP ATTACHMENT 1Information Security Policies and Procedures (covering all control families)SSP ATTACHMENT 2User GuideSSP ATTACHMENT 3Digital Identity WorksheetSSP ATTACHMENT 4Privacy Threshold Analysis (PTA)SSP ATTACHMENT 4Privacy Impact Assessment (PIA) (if the answer to any of the qualifying questions in the PTA is “Yes”,complete the PIA template and submit it as an attachment to the SSP)SSP ATTACHMENT 5Rules of Behavior (RoB)SSP ATTACHMENT 6Information System Contingency Plan (ISCP) (be sure to include the Contingency Plan Test Report inAppendix G of the ISCP)SSP ATTACHMENT 7Configuration Management Plan (CMP)SSP ATTACHMENT 8Incident Response Plan (IRP)SSP ATTACHMENT 9Control Implementation Summary (CIS)/Customer Responsibility Matrix (CRM) WorkbookSSP ATTACHMENT 10Federal Information Processing Standard (FIPS) 199SSP ATTACHMENT 11Separation of Duties MatrixSSP ATTACHMENT 12Laws and Regulations (if additional system-specific laws or regulations apply (e.g., HIPAA), includethem)SSP ATTACHMENT 13fedramp.govIntegrated Inventory Workbook12

Necessary Organization and System AttributesThe cloud service offering must be documented to demonstrate important aspects such as:1.2.The system boundary and all data flows internally, externally, and traversing the system boundaryAll dataflows that have FIPS 140 validated encryption internally, externally, and traversing the system boundary with the correct3.directional arrowsThe customer responsibilities, for each security control, defined in the system baseline and what the leveraging partner must do to4.implement controls.System diagrams that show the cloud service offering provides identification and two-factor authentication plus all authenticationmethods minimally for:a. Network access by privileged customer accountsb.c.Network access by non-privileged customer accountsNetwork access by the cloud service privileged administrators5.d. Local access by the cloud service privileged administrators (when applicable)All scanning capabilities for operating systems, databases, and web applications6.7.The CSP can remediate high risks within 30 days, moderate risks within 90 days, and low risks within 180 daysAn inventory for all hardware, software, and firmwarefedramp.gov13

FedRAMP Mindset for SSP DevelopmentHow to Write a SystemSecurity Planfedramp.gov1.Writing Takes Time and Effort2.Strongly and Clearly Articulate System Functionality3.Tell a Story4.Answer Who, What, When, and How5.Answer 100% of the Controls6.Be Clear, Concise, Consistent, and Complete7.Adequately Reference all Documentation8.Ensure Compliance with FedRAMP Policy14

SSP Organization and Scopefedramp.govSection 1:Identifies information system name and titleSection 2:Identifies the system categorization and digital identity determinationSection 3:Identifies the system owner and contact informationSection 4:Identifies the authorizing officialSection 5:Identifies other designated contactsSection 6:Identifies the assignment of security responsibilitySection 7:Identifies the information system operational statusSection 8:Identifies the type of information systemSection 9:Describes the function and purpose of the information systemSection 10:Describes the information system environment and inventorySection 11:Identifies interconnections between other information systemsSection 12:Laws, regulations, standards, and guidanceSection 13:Minimum Security Controls15

Sections 1-8: Identifying the SystemUsing theFedRAMPTemplatesAll tables in the SSP template should be populated with the most current information - the “as is” state. Since the SSP is a living document, it will change based on the system environment.𑁋 If something changes in the SSP, normally the change affects other documents (e.g., theControl Implementation Summary (CIS)/Customer Responsibility Matrix (CRM), the“dash “1” control documentation, etc.). The FedRAMP PMO has incorporated blue italicized text instructions throughout the frontsections of the SSP.𑁋 Once the instructions are met, the instruction can be removed from the document.Consistency and accuracy are key.𑁋 The SSP tells a complete story from the beginning to end. Inconsistencies and inaccuracies result in inconsistencies and inaccuracies in the security control implementation summaries.The authorization boundary is explicitly identified in the network diagram. The data flow diagram is aligned with the authorization boundary diagram.If you have questions [email protected]

Section 9: General System DescriptionSystem Function/PurposeExplain your system's technical function and purposePlease refrain from including marketing language/material.Types of UsersInclude all roles and privileges, including systemadministrators, database administrators, customer end users,and customer administrators as role types.Ensure that roles and privileges are specific and detailed enough tosupport 3PAO testing.fedramp.govInformation System Components & BoundariesDescribe the information system’s major components, interconnections, and boundaries in sufficient detail that fully andaccurately depicts the authorization boundary for the informationsystem.Network ArchitectureProvide a legible and complete network diagram, which maps allsystem components.If the authorization boundary shows sufficient detail regarding items likevirtual private networks, subnets, ports and protocols, DNSSEC, theauthorization boundary might also be able to be used as the networkdiagram.17

Section 10: System Environment and InventorySystem Technical EnvironmentThis section hasthe followingcomponents:General description of the technical system environmentSystem InventoryDirections for attaching the FedRAMP Inventory Workbook (Att. 13 – FedRAMP InventoryWorkbook) can be found within the templateData FlowsDescribe all data flows and stores of dataInclude data flows for privileged and non-privileged authentication/authorization to the system for internaland external users and encryption for all flows and stores internally, externally, and traversing the systemboundaryPorts, Protocols, and ServicesIndicates the components of the information system that make use of the ports, protocols andservicesfedramp.gov18

Section 11: System Interconnections Must be consistent with Table 13-3 - CA-3 Authorized Connections Lists each service provider IP address External Organization and IP address of the system External point of contact and phone number Connection security (IPSec, VPN, SSL Certificates, and Secure File Transfer) Data direction (incoming, outgoing, or both) Information being transmitted Port or circuit numbersfedramp.gov19

Section 12: Laws, Regulations, Standards and Guidance12.LAWS, REGULATIONS, STANDARDS ANDGUIDANCE . 1812.1. Applicable Laws and Regulations . .1812.2. Applicable Standards and Guidance . . .18fedramp.gov20

Section 13: Minimum Security ControlsSecurity controls must meet the minimum security control baseline requirements for: Access Control (AC) Personnel Security (PS) Audit and Accountability (AU) Physical and Environmental Protection (PE) Awareness and Training (AT) Planning (PL) Configuration Management (CM) Risk Assessment (RA) Contingency Planning (CP) Security Assessment and Authorization (SA) Identification and Authentication (IA) Supply Chain Risk Management Incident Response (IR) System and Communications Protection (SC) Maintenance (MA) System and Information Integrity (SI) Media Protection (MP) System and Services Acquisitions (SA)fedramp.gov21

Course Recap28

Course RecapAs a recap to the course material, let’s review a few key takeaways: When writing the SSP think of the 4 C’s - Clear, Concise, Consistent and Complete. The SSP provides a global view of how the system is structured and is the focal point for all FedRAMPdocumentation but other documents that are provided along with the SSP have direct impact on the structureand content provided in the SSP. System boundary is a very critical concept for cloud security models and impacts the risk authorization levels forFedRAMP assessment. Security controls must meet minimum security control baseline requirements as definedby NIST 800-53A Rev 4. A high level of detail is required for writing FedRAMP control implementations and give a 3PAO solidevidence/artifacts when testing the control.fedramp.gov29

References Penetration Guidance NIST 800 53 A2LA Website SAP Template Rev 4 Test Case Workbook 201 B TrainingLearn more at fedramp.govContact us at [email protected]@FEDRAMP30

[email protected] All tables in the SSP template should be populated with the most current information -the “as is” state. Since the SSP is a living document, it will change based on the system environment. !If something changes in the SSP, normally the change affects other documents (e.g., theFile Size: 988KBPage Count: 36Explore furtherHow to Create a System Security Plan (SSP) for NIST 800 .www.sysarc.comDODD 5205.02-M - DoD Operations Security (OPSEC) Program .standards.globalspec.comFIPS 200, Minimum Security Requirements for Federal .nvlpubs.nist.govNIST 800-171 System Security Plan (SSP) Templatecksecuritysolutions.comFedRAMP Security Assessment Framework v2.4www.fedramp.govRecommended to you b