Hello and welcome to the next 801 71 learning path. My name is Dave Had and I'm an instructor for this class and this is course for create a system security plan or SSP. And this course will do an overview of the system security plan. And we'll look at creating a system security plan using this provided template with some examples. So what is a SSP?. Missed has a document missed 800-18 are one where they describe systems security planning in great detail. I would encourage you to take a look at that before you get started. The first quote here is from that document quote, the objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan, unquote. So again, we'll be talking about nonfederal systems and nonfederal organizations with CUI. But nevertheless we will need a system security plan as part of our 801 71 compliance. The second quote says the purpose of the system security plan is to provide an overview of the security requirements of the system. And describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plans should be viewed as documentation of the structured process of planning, adequate cost effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system including information owners. The system owner and the senior agency Information security officer. Additional information may be included in the basic plan and the structure and format organized according to agency needs. So long as the major sections described in this document are adequately covered and readily identifiable unquote. So again, like most things from this, they're giving you some guidance. You have some leeway here. I would encourage you to take a look at missed 818 or one before you attempt to build your SSP read through that. But I've hit the high I think two of the main concepts you need to know here. Really an SSP boils down to It's a blueprint of your cybersecurity program. It documents ideally with artifacts and evidence, the implementation of controls that will satisfy the 110 requirements defined and nist 800 101 71. It can be a cumbersome process. It's likely to exceed 100 pages with artifacts and evidence. I mean if you think about it for a second, there is 110 controls. If you have any sort of detail whatsoever, you're easily going to hit 100 pages, maybe more. It can be quite time consuming and potentially difficult to create, especially if you've never tried to do something like this before. The good news is there's lots of resources out there that can help with this, including this training. And I would encourage you as you set out to create your system security plan that you keep. Hofstadter is law in mind which is it always takes longer than you expect even when you take into account. Hofstadter law, Douglas Hofstadter, I always find that amusing yet ironic and sadly true. When you set out to do any sort of work like this and your SSP is going to require a certain level of IT knowledge. If you're not an IT person, this will probably difficult to create, you're probably going to need to work with knowledgeable IT people who understand your systems. So keep in mind you will probably most likely need one or more senior level it people to help go through the 110 requirements. And answer the questions as you build out your system security plan as well as collect the evidence and such. So why do we need an SSP, well primarily for compliance reasons, right. It's required by 871. The D O D says you have, you can't even do a self assessment unless you have a system security plan. And it's also required for level two or higher compliance with CMMC. So I would also tell you that it can just be helpful to have if you go through the trouble of creating a system security plan. You will have an enormous amount of information about your system, it will all be documented. It can be very handy in terms of improving your overall cybersecurity posture. It also obviously helps you document all your systems that contain CEO and again I would argue you will be much more secure as an organization if you go through this process. Because it's going to help you find gaps and point out the things that this says that you should be thinking about in your environment and your organization. And then ultimately it's something that can be given to an assessor in the event that you are assessed. So let's talk about what you need to do to prepare to build your SSP. You probably need to start by defining a team. This is going to be an enormous job for one person. And again you will likely need skilled IT resources and potentially compliance experts, cybersecurity experts etc to do this. So I would strongly recommend that you define your team first. And then once you have your team assembled review with the team missed 800 dash 171. A again that's nist 801 71 dash which is assessing security requirements for controlled unclassified information. You can see I have a link to it there and then this says in 881 71 a quote this publication provides federal and nonfederal organizations. With assessment procedures and methodology that can be employed to conduct assessments of the CUI security requirements In this special publication. 801 71 protecting controlled unclassified information and nonfederal systems and organizations. The assessment procedures are flexible and can be customized to the needs of the organizations and the assessors conducting the assessment. Security assessments can be conducted as self assessments Independent 3rd party assessments. Or government sponsored assessments and can be applied with various degrees of rigor based on customer defined depth and coverage attributes. The findings and evidence produced during the security assessments can facilitate risk based decisions by organizations related to the COI requirements unquote. Bottom line is this is the document that the assessors used to determine how well you comply with the requirements in this to 871. And I think in order for you to have a good system security plan, especially out of the gate. It's very important that you download this document and you read through it so that you understand how to provide the artifacts. And evidence that you'll need to Illustrate that you are compliant with any one of the particular 110 requirements. As you can see here, 8001 71 A. Has 302 assessment objectives. Now again, that's 302 total assessment objectives across one 110 Requirements. So it's a lot of material. But again, I strongly encourage you to get a copy of that and before you do too much work on your system security plan. You take a look at this first and then use it and I'll show you how I use it once we get into the next video. We take a look at building out a system security plan. And you really should try to address all 320 AOs to be fully compliant with this 801 701. Now and you'll see you won't necessarily have to be fully compliant with every single one of the 320AOs. But you ought to at least understand what they say. So take a look at that. You'll be doing yourself a huge favor. Also purchased 801 71 A quote an assessment procedure consists of an assessment objective. And a set of potential assessment methods and assessment objects that can be used to conduct the assessment. So I think this is important. Again going into it you're preparing this document ultimately so that if and when you're assessed or if you're trying to comply with CMMC. Level 2 or above you have the information that you need to be prepared for an assessment. So I think it's important to understand how they view these things right. And then they also say quote assessment objects, identify the specific items being assessed. And can include specifications, mechanisms, activities and individuals. Then they go on to define those things in there. I just try to excerpt this and give you a high level overview. Specifications are document based artifacts associated with the system mechanisms or hardware, software or firmware safeguards. Activities are protection related actions involving people and individuals. Are the people applying specifications and mechanisms or activities. So again this is that they're telling you how they would go about this. It gives you insight into how you're going to want to collect the artifacts and evidence to say. That I have implemented this control to satisfy requirement, whatever. Again, we'll see some real world examples when we get into the next video and then finally. Assessment methods defined the nature and extent of the assessors actions and include examine interviewer test. So the assessor can examine what you've done. They may come and do interviews either in person or over the phone or some sort of video conference or something. And then obviously they can attempt to test various controls and so forth. So again, when you understand these things that an assessor might want to examine your documentation or examine your systems. May want to interview you or your team or they become an attempt to test these things. It will help you better prepare the artifacts and evidence as part of your SSP. Some more from this 871 A again I can't really encourage you enough to download this document. And read through the whole thing despite the fact that it's pretty long. Again there's 320 assessment objectives but it will go a long way towards helping you get this right the first time. So they say quote organizations are not expected to employ all assessment methods and objects contained within the assessment procedures identified in this publication. I want to read that statement again because I think that's important to keep in mind. Organizations are not expected to employ all assessment methods and objects contained within the assessment procedures identified in this publication. Rather, organizations have the flexibility to determine the level of effort needed and the assurance required for an assessment EG. Which assessment methods and assessment objects are deemed to be the most useful in obtaining the desired results. This determination is made based on how the organization can accomplish the assessment objectives and the most cost effective manner. And with sufficient confidence to support the determination that the CUI requirements have been satisfied unquote. So again this is giving you guidance but you have a lot of leeway here and you don't necessarily have to do meet every single assessment objectives. But they're going to if you understand them all and you look at each control through the lens of those assessment objectives. It's going to save you a lot of time and work on the front end. So let's talk about assurance cases because they use the term assurance. So they say assurance cases, quote an assurance case is a body of evidence organized into an argument demonstrating. That some claim about a system is true for assessments conducted using the procedures in this publication. That claim is compliance with the security requirements specified in this special publication 801 71 unquote. So again, knowing these things going into it, it's going to help you focus on the right artifacts and evidence to demonstrate compliance with the requirements of 801 71. They say evidence can be obtained in many ways, self assessments or 3rd party assessments and they say determinations. So when the assessor is is doing the assessment, again that you could have done a self assessment. Or you could have a third party assessment through the government or an independent assessor. And the determination is they're going to make when they assess your compliance with any one of 110 requirements. Is either you have satisfied that requirement or other than satisfied. So again, knowing that going into this will help inform how you go about creating your system security plan. Now, this is an example, assessment objective pulled straight out of 801 71 A and you can see here 3 .1.4 security requirements. Separate the duties of individuals to reduce risk of malevolent activity without collusion, right? So then they show you there are 3 assessment objectives, 3.1.4 A. The duties of individuals requiring separation are defined 3.1.4 B. Responsibilities for duties that require separation are assigned to separate individuals and 3.1 .4 C. Access privileges that enable individuals to exercise. The duties that require separation are granted two separate individuals. Then you can see here they describe different assessment methods and objects. They say examine select from access control policy procedures, addressing divisions of responsibility and separation of duties. System security plan, system configuration settings and associated documentation. List of divisions of responsibility and separation of duties. System access authorizations. System audit logs and records other relevant documents or records. So that's something that the assessor might examine any of those things, right? Or they say interview select from personnel with responsibilities for defining, sorry, defining divisions of responsibility and separation of duties. Personnel with information security responsibilities, system or network administrators. And then test select from mechanisms implementing separation of duties policies. Again I can't stress enough how important I think it is for you to look at each assessment objective. In light of how you're going to go about determining if you have satisfied any given requirement. This great gives you great insight into what the assessor is going to assess against and how they might go about determining that. So for example, if they say you know procedures addressing divisions of responsibility, separation of duties. System security plans. System configuration settings. Well. Do you have a system security plan or an access control policy, right. If you do, that's good, you're going to want to list that as as part of your evidence. again, very insightful. I strongly encourage you to get 871 A and take a look at each of these as you work through your system security plan. So now we're down to where the rubber hits the road. We want to create the system security plan, there is no formal standard. You can find templates all over the internet. In fact, there are companies like compliance forge out there who have well known well defined packages. They're not cheap, but in many cases you can save a lot of time with something like that. What we're going to use for this course is the free template provided by Nist. I think it's probably sufficient for most cases. You can see, I have a link to the free template that you can download from the next website there. In the next video we will take a look at creating a system security plan and go through some examples. Again, you're going to want to collect evidence and artifacts and document them in the SSP or or at least reference them in the SSP. And again, lastly, keep the assessment objectives in mind as you work through the 110 requirements. So that gets us through the overview and I will see you in the next video. Where we will use the next template, and we will build out or at least start building out a system security plan with some examples and based on the the 320 AOs. From 801 71 dash A. Thanks. And I will see you in the next video.
