The Department of Education describes performing a risk assessment as the foundation for developing all other security documents needed for certifying and accrediting systems and applications.(Source) FedRAMP indicates that the System Security Plan (SSP) is the main document of a security package that describes all the security controls in use on the information system and their implementation. Once completed, a SSP provides a detailed narrative of security control implementation, a detailed system description including components and services inventory, and detailed depictions of the system’s data flows and authorization boundary. NIST defines the plan of action and milestones as a key document in the information security program and is subject to federal reporting requirements established by OMB.(Source)
