How to Prepare an SSP - jsac

Preparing System Security Plans
2013 Joint Security Awareness
Council Seminar
Sherry Williams, Speaker
Preparing System Security Plans
JSAC 17-18 April, 2013
To start a new Classified Program
Contract Instrument
 DD254
Contract Instrument
 The Federal Acquisition Regulation (FAR) requires that
a DD-254 be incorporated in each classified contract.
The DD-254 provides the contractor (or subcontractor)
security requirements and classification guidance
necessary to perform on a classified contract
 Invitation for Bid (IFB), Independent Research and
Development (IRAD), Request for Proposal (RFP),
Request for Quotation (RFQ)
DD 254…
Data Protection…
 The Security Classification Guide or other
relevant security docs (required prior to
beginning a IS profile)
 Identify classification level(s) and handling
 IS USER required training based on classification level
and handling caveats
 Closed area/Safe training requirements
White Board Meeting…
 “White board” meeting to discuss computing
system requirements (Form 1116)
 Engineering and program requirements
 Unclassified and Classified systems
 Allocate, Build and pre-Certify systems based
upon ODAA technical baseline settings
Why the Defense Security Service (DSS)
denies an Approval to Operate (ATO)
Missing or incomplete Unique Identifier (UID)
ISSM did not sign the IS Security Package Submission and Certification Statement
Missing Hardware List / Software List / Configuration Diagram
Physical Security not adequately explained
No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area
No Certification Test Guide or NISP Tool Results were provided
Missing letter from Government Contracting Activity (GCA) if any variances are needed
Identification and Authentication not adequately addressed
Any unique issues that would require denial of the IATO
Missing MOU when required
Missing MOU when required…
MOU Requirements:
 Interconnected systems accredited by different DAAs
 Created to establish agreed upon roles, security
responsibilities and other information
 Signed by each DAA and submitted with SSP
 Contractor-to-Contractor system interconnections do not
require an MOU when DSS is the DAA for all systems
 Valid for three years or until system changes occur
affecting security posture
Missing GCA Letter for variances…
• A signed copy of the customers Risk Acceptance Letter (RAL) on
Government letterhead stating they are willing to assume the
residual risk for e.g. alternate trusted download procedures
• Special purpose/Non-Complaint systems requiring a RAL should be
under a separate profile and if connection to the larger compliant
system is required a single page Network Security Plan (NSP) may
be used
• Risk Acceptance Letter's must be updated when the plan is
reaccredited every three years
Variances and Self-Certification
 Profiles with RALs and Variances render and IS non-NISPOM
compliant therefore ineligible for Self-Certification authority
 Variance requests must be submitted after MSSP ATO granted
and include a description of the approved variance and signed
 Approved variance must be maintained with the profile
Forget-me Not’s
 Identify Group Accounts
 List Hardware Memory Size and Types
 Ensure Caveats are listed on ATO letters and in profiles
 Ensure UIDs on MSSP, Profile, and ATO all match
 Ensure Sanitization procedures are included in profiles
 Communicate often with your ISSP
Lets Take A Look…

similar documents