BRACKETOLOGY | FEDRAMP

PL-2: SYSTEM SECURITY PLAN

  • FedRAMP Baseline Membership PL-2:
  • LOW
  • MODERATE
  • HIGH
FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Develops a security plan for the information system that:
      1. Is consistent with the organization�s enterprise architecture;
      2. Explicitly defines the authorization boundary for the system;
      3. Describes the operational context of the information system in terms of missions and business processes;
      4. Provides the security categorization of the information system including supporting rationale;
      5. Describes the operational environment for the information system and relationships with or connections to other information systems;
      6. Provides an overview of the security requirements for the system;
      7. Identifies any relevant overlays, if applicable;
      8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
      9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
    • b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
    • c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
    • d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
    • e. Protects the security plan from unauthorized disclosure and modification.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Develops a security plan for the information system that:
    1. Is consistent with the organization's enterprise architecture;
    2. Explicitly defines the authorization boundary for the system;
    3. Describes the operational context of the information system in terms of missions and business processes;
    4. Provides the security categorization of the information system including supporting rationale;
    5. Describes the operational environment for the information system and relationships with or connections to other information systems;
    6. Provides an overview of the security requirements for the system;
    7. Identifies any relevant overlays, if applicable;
    8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
    9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
  • b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
  • c. Reviews the security plan for the information system at least annually;
  • d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
  • e. Protects the security plan from unauthorized disclosure and modification.

The organization:

  • a. Develops a security plan for the information system that:
    1. Is consistent with the organization's enterprise architecture;
    2. Explicitly defines the authorization boundary for the system;
    3. Describes the operational context of the information system in terms of missions and business processes;
    4. Provides the security categorization of the information system including supporting rationale;
    5. Describes the operational environment for the information system and relationships with or connections to other information systems;
    6. Provides an overview of the security requirements for the system;
    7. Identifies any relevant overlays, if applicable;
    8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
    9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
  • b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
  • c. Reviews the security plan for the information system at least annually;
  • d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
  • e. Protects the security plan from unauthorized disclosure and modification.

The organization:

  • a. Develops a security plan for the information system that:
    1. Is consistent with the organization's enterprise architecture;
    2. Explicitly defines the authorization boundary for the system;
    3. Describes the operational context of the information system in terms of missions and business processes;
    4. Provides the security categorization of the information system including supporting rationale;
    5. Describes the operational environment for the information system and relationships with or connections to other information systems;
    6. Provides an overview of the security requirements for the system;
    7. Identifies any relevant overlays, if applicable;
    8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
    9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
  • b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
  • c. Reviews the security plan for the information system at least annually;
  • d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
  • e. Protects the security plan from unauthorized disclosure and modification.

SUPPLEMENTAL GUIDANCE

"Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.

Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans."

CONTROL ENHANCEMENTS

PL-2 (1) SYSTEM SECURITY PLAN | CONCEPT OF OPERATIONS

[Withdrawn: Incorporated into PL-7].

PL-2 (2) SYSTEM SECURITY PLAN | FUNCTIONAL ARCHITECTURE

[Withdrawn: Incorporated into PL-8].

PL-2 (3) SYSTEM SECURITY PLAN | PLAN/COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES
  • FedRAMP Baseline Membership PL-2 (3):
  • MODERATE
  • HIGH

The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance:

Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.

RELATED CONTROLS: PL-2 (3)

REFERENCES:

  • NIST Special Publication 800-18

© 2017-2019 Wayfinder Digital, LLC. All Rights Reserved | Sitemap | The Fine Print — Terms of Use & Privacy