Navigation

System Security Plan Development and Evolution
Risk Assessments
Contingency Planning
Incident Response Planning
Certifications and Accreditations (C&A)
Security Policy Development
Vulnerability Assessments
Forensics Analysis

System Security Plan Development and Evaluation

We develop and evaluate System Security Plans for major applications and general support systems. The objective of system security planning is to improve protection of Information Technology (IT) resources. The protection of a system must be documented in a system security plan. The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," Appendix III, "Security of Federal Automated Information Resources," and Public Law 100-235, "Computer Security Act of 1987."

The purpose of the security plan is to provide an overview of the security requirements of the system and to describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan, and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable.

The security plan should contain, at a minimum, the information outlined in NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998.