PRO1 A template for this assignment is provided using the format in NIST Special Publication 800-18 . In addition to the NIST documentation that is linked throughout the course and in the document sharing area, you can locate SSP information in the Howard text on page 105.
To create the SSP for this project, you will be using your home computer system, as if it were used for a home-based business, whereby it may contain customer data and business applications critical to your operations. Although this is a home computer system, it is not completely shielded from many risks that can impact a large corporate business. Interruptions or breaches would place your business in jeopardy. For the purposes of this project, categorize this system as a Federal System in the “HIGH” risk category as defined in FIPS 199 and FIPS 200.
Project Deliverable 1:SSP Expanded Outline and Potential Vulnerabilities Report
SSP Expanded Outline
Using the SSP template (also found in Doc Sharing), complete the expanded outline by inserting a brief statement below each of the 15 sections which:
identifies the applicability of the section to your home system
describes the importance and purpose of the data provided in the section.
Potential Vulnerabilities Report
Utilizing your experience, classroom resources, outside references and industry tools, analyze and generate a comprehensive overview identifying the specific potential vulnerabilities of the system.
Insert this comprehensive overview into the SSP template as Appendix 1.
Submit this assignment to the dropbox no later than the date identified above Name.System Security Plan
Running Head: Name. System Security Plan
System Security Plan
University of Fairfax
IA8110: Certification and Accreditation
Your UoF email address
System Security Plan
1. Information System Name/Title:
In this section provide a unique identifier and name given to the system.
2. Information System Categorization:
Identify the appropriate FIPS 199 categorization.
3. Information System Owner:
Provide the name, title, agency, address, email address, and phone number of the person who owns the system.
4. Authorizing Official:
Provide the name, title, agency, address, email address, and phone number of the senior management official designated as the authorizing official.
5. Other Designated Contacts:
List other key personnel, if applicable; include their title, address, email address, and phone number.
6. Assignment of Security Responsibility:
Provide name, title, address, email address, and phone number of person who is responsible for the security of the system.
7. Information System Operational Status:
Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status.
8. Information System Type:
Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose.
General Support System
9. General System Description/Purpose:
Describe the function or purpose of the system and the information processes.
10. System Environment:
Provide a general description of the technical system. Include the primary hardware, software, and communications equipment.
11. System Interconnections/Information Sharing:
List interconnected systems and system identifiers (if appropriate), provide the system, name, organization, system type (major application or general support system), indicate there is an ISA/MOU/MOA on file, date of agreement to interconnect, FIPS 199 category, C&A status, and the name of the authorizing official.
FIPS 199 Category
12. Related Laws/Regulations/Policies
List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system.
13. Minimum Security Controls
Select the appropriate minimum security control baseline (low-, moderate-, high-impact) from NIST SP 800-53, then provide a thorough description of how all the minimum security controls in the applicable baseline are being implemented or planned to be implemented. The description should contain: 1) the security control title; 2) how the security control is being implemented or planned to be implemented; 3) any scoping guidance that has been applied and what type of consideration; and 4) indicate if the security control is a common control and who is responsible for its implementation.
14. Information System Security Plan Completion Date:
Enter the completion date of the plan.
15. Information System Security Plan Approval Date:
Enter the date the system security plan was approved and indicate if the approval documentation is attached or on file.
1. Security Controls Assessment Report (SCA)
2. Risk Assessment Outline
3. Certification Test Matrix Plan
4. Risk Remediation Plan
5. Certification Statement
6. Accreditation Letter