CyberPal – System Security Plan (SSP)

1. NIST Security Control Families

Family	Category
Risk Assessment	Management
Planning	Management
System & Services Acquisition	Management
Security Assessment & Authorization	Management
Personnel Security	Operational
Physical & Environmental Protection	Operational
Contingency Planning	Operational
Configuration Management	Operational
Maintenance	Operational
System & Information Integrity	Operational
Media Protection	Operational
Incident Response	Operational
Awareness & Training	Operational
Identification & Authentication	Technical
Access Control	Technical
Audit & Accountability	Technical
System & Communications Protection	Technical

2. System Identification

Official System Name

System Acronym

3. Information System Owner

Name

Title

Entity

Address

Contact information

Other

4. Information System Contacts

Business Data Owner

Authorizing Official – Technical Owner

Information System Security Officer

Other Key Contacts

5. System Operational Status

Under development
Operational
Major modification
Decommissioned
Other

6. Information System Type

Major application
General support system
Major modification
Decommissioned
Other

7. Operational Support Level

Support Level Agreement (SLA)

8. System Description and Purpose

Business function / process
Who the system serves
Type of data utilized
Third party involvement
Level of access needed
# of users (internal / external)
Data classification levels
Comments

9. System Environment

System environment data

10. System Physical Location

Location name / address

Description

Cloud services?

Type / characteristics / model / region / provider

11. System Information / Components

Components	Server Names	Description	Function

12. Security Objectives

Rate impact for each CIA objective. FIPS 199 is the highest of the three.

12.1 — Confidentiality

High Moderate Low

12.2 — Integrity

High Moderate Low

12.3 — Availability

High Moderate Low

12.4 — System Security Categorization (FIPS 199)

Highest of the three above: —

13. System & Data Classification

13.1 — Privacy Threshold Assessment (PTA)

PII Type	Yes	No

13.2 — Information Classification

Data Types (CDT / SIMM 5305-A)	Yes	No

14. Cloud Information Systems Architecture Standard (CISAS)

Guidance for Cloud Networking, IAM, Infrastructure Protection, Data Protection, Detection, and Recovery.

14.1 — Cloud Network

Control	Yes	No	N/A	Notes

14.2 — Identity & Access Management

Control	Yes	No	N/A	Notes

14.3 — Infrastructure Protection

Control	Yes	No	N/A	Notes

14.4 — Data Protection

Control	Yes	No	N/A	Notes

14.5 — Detection

Control	Yes	No	N/A	Notes

14.6 — Recovery

Control	Yes	No	N/A	Notes

15. System Confidential Data & User Access

15.0 — Network Diagram

Upload diagram (PNG/JPG/PDF)

Max ~10 MB.

Network Diagram attachment name

15.1 — System Confidential Data transfer inventory

List all sources of confidential data within the system. Include inputs, outputs, and web-based systems that accept user input.

15.2 — User Community Organizations and Access

Describe privileged system users and access (system, service, administrative accounts).

16. System Interconnection / Information Sharing

16.1 — System Inputs and Outputs

List system inputs/outputs (system, data exchanged, classification, method, direction, destination, frequency, contact).

16.2 — System Interconnections

List connections and check whether each is G2G, G2B, or G2C. Mark trusted if applicable.

Connection (Sys ID # if [STATE ENTITY] / description if external)	G2G	G2B	G2C	Trusted Connection?

16.3 — Documentation of Untrusted Connections

17. Information System Security Plan Completion Date

Enter the completion date (If applicable) of plan:

18. Information System Security Plan Approval Date

Enter the date the system security plan was approved and indicate if the approval documentation is attached or on file:

19. Information System Recovery Plan Approval Date

Enter the date the Information System Recovery Plan was approved and indicate if the approval documentation is attached or on file: