CMMC Requirement RA.L3-3.11.4E – Security Solution Rationale: Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination.
Links to Publicly Available Resources – Coming Soon
NIST SP 800-172 provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI: (1) when the CUI is resident in a nonfederal system and organization, (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and (3) where there are no specific safeguarding requirements for protecting the CUI prescribed by the authorizing law, regulation, or government-wide policy
for the CUI category listed in the CUI Registry. This NIST Special Publication provides guidance for federal agencies for developing system security plans for federal information systems.
System security plans relate security requirements to a set of security controls and solutions. The plans describe how the controls and solutions meet the security requirements. For the enhanced security requirements selected when the APT is a concern, the security plan provides traceability between threat and risk assessments and the risk-based selection of a security solution, including discussion of relevant analyses of alternatives and rationale for key security-relevant architectural and design decisions. This level of detail is important as the threat changes, requiring reassessment of the risk and the basis for previous security decisions.
When incorporating external service providers into the system security plan, organizations state the type of service provided (e.g., software as a service, platform as a service), the point and type of connections (including ports and protocols), the nature and type of the information flows to and from the service provider, and the security controls implemented by the service provider. For safety critical systems, organizations document situations for which safety is the primary reason for not implementing a security solution (i.e., the solution is appropriate to address the threat but causes a safety concern).
[NIST SP 800-18] provides guidance on the development of system security plans.
Further Discussion
The System Security Plan (SSP) is a fundamental component of an organization’s security posture. When solutions for implementing a requirement have differing levels of capabilities associated with their implementation, it is essential that the plan specifically document the rationale for the selected solution and what was acquired for the implementation. This information allows the organization to monitor the environment for threat changes and identify which solutions may no longer be applicable. While not required, it may also be useful to document alternative solutions reviewed and differing levels of risk associated with each alternative, as that information may facilitate future analyses when the threat changes. In addition to the implementations required for Level 2 certification, which may not be risk based, at Level 3, the SSP must carefully document the link between the assessed threat and the risk-based selection of a security solution for the enhanced security requirements (i.e., all CMMC L3 requirements derived from NIST SP 800-172).