NIST describes that the purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. (Source)
This document is intended as a starting point for the IT System Security Plan required by NIST SP 800-171 (3.12.4). This paper is intended for those who may be new to the information security arena and have been tasked with assembling a system security plan. This document summarizes the security requirements for the agency business application, Cornerstone, and the CMS/BCCS hosted environment for Cornerstone. This NIST Special Publication provides guidance for federal agencies for developing system security plans for federal information systems. This example template is offered as a tool to assist companies as they develop their system security plan.
This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC). This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171.