Security Requirements for 03.15.02 System Security Plan

System security plans provide key characteristics of the system that is processing, storing, and transmitting CUI and how the system and information are protected. System security plans contain sufficient information to enable a design and implementation that are unambiguously compliant with the intent of the plans and the subsequent determinations of risk if the plan is implemented as intended. System security plans can be a collection of documents, including documents that already exist. Effective system security plans reference policies, procedures, and documents (e.g., design specifications) that provide additional detailed information. This reduces the documentation requirements associated with security programs and maintains security information in other established management or operational areas related to enterprise architecture, the system development life cycle, systems engineering, and acquisition.

View CPRT 03.15.02

  1. 03.15.02.a

    Develop a system security plan that:

  2. 03.15.02.a.01

    Defines the constituent system components;

  3. 03.15.02.a.02

    Identifies the information types processed, stored, and transmitted by the system;

  4. 03.15.02.a.03

    Describes specific threats to the system that are of concern to the organization;

  5. 03.15.02.a.04

    Describes the operational environment for the system and any dependencies on or connections to other systems or system components;

  6. 03.15.02.a.05

    Provides an overview of the security requirements for the system;

  7. 03.15.02.a.06

    Describes the safeguards in place or planned for meeting the security requirements;

  8. 03.15.02.a.07

    Identifies individuals that fulfill system roles and responsibilities; and

  9. 03.15.02.a.08

    Includes other relevant information necessary for the protection of CUI.

  1. 03.15.02.b

    Review and update the system security plan [Assignment: organization-defined frequency].

  1. 03.15.02.c

    Protect the system security plan from unauthorized disclosure.