Professional Documents
Culture Documents
SSP Template
SSP Template
References
• NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems,
February 2006: https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
8. System Environment
Provide a general description of the technical system. Include the primary hardware, software, and
communications equipment.
9. Inventory Workbook
Complete the applicable fields in the Integrated Inventory Workbook. A good example is found in
SSP ATTACHMENT 13: FedRAMP Integrated Inventory Workbook Template.
10. System Boundaries and Interconnections
Provide an explicit definition of the system’s network or computing system boundary. Include a
network diagram that portrays any boundaries and all its connections and components, including
the means for monitoring and controlling communications at the external boundary and at key
internal boundaries within the system. Address all components and managed interfaces of the
information system authorized for operation (for example, routers, firewalls).
Low (L)
Moderate
High (H) (M) Low (L)
Moderate
High (H) (M) Low (L)
Moderate
High (H) (M)
Choose level. Choose level. Choose level.
Low (L)
Moderate
High (H) (M) Low (L)
Moderate
High (H) (M) Low (L)
Moderate
High (H) (M)
Choose level. Choose level. Choose level.
Low (L)
Moderate
High (H) (M) Low (L)
Moderate
High (H) (M) Low (L)
Moderate
High (H) (M)
For each minimum security control in the applicable baseline, provide a thorough description of how
that control is implemented or planned to be implemented. See NIST SP 800-53 Revision 4 Table D-2
for a listing of the different requirements for each initial control baseline.
For this exercise, you should pick three control categories and complete the required information
for each. See Attachment A for a sample. It is outside the scope of this document to include each
baseline control.
Control
The organization develops, documents, and disseminates to applicable personnel, and reviews and updates (as
necessary), within every three hundred sixty-five (365) days:
a. A security and privacy awareness and training policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance;
a. Procedures to facilitate the implementation of the security and privacy awareness and training
policy and associated security and privacy awareness and training controls;
b. Security and privacy awareness and training policy; and
c. Security and privacy awareness and training procedures.
d. Security and privacy awareness and training plan.
Implementation Standards
1. An initial Security and Privacy awareness and training plan is developed and implemented that addresses
all requirements of the security and privacy training program. This plan should cover required policies
and procedures and a documented process for implementing basic privacy and awareness training for all
organizational users and contractors that includes understanding potential indicators of insider threats.
This plan should also include requirements for ensuring personnel with specific roles and responsibilities in
information security and privacy undergo more detailed and audience specific security and privacy training.
Guidance
This control addresses the establishment of policy and procedures for the effective implementation of security and
privacy controls and control enhancements in the AT family. Policy and procedures reflect applicable state and federal
laws, directives, regulations, policies, standards, and guidance. Security and privacy program policies and procedures
at the organization level may make the need for system-specific policies and procedures unnecessary. The policy
can be included as part of the general information security and privacy policy for organizations or, conversely, can
be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be
established for the security and privacy programs in general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in establishing policy and procedures.
Assessment Procedure:
Assessment Objective
Determine if the organization has implemented all elements of the AT-1 control as described in the control requirements.
Control
The organization provides basic security and privacy awareness training to information system users (including
managers, senior executives, and contractors):
a. As part of initial training for new users prior to accessing any system’s information;
b. When required by system changes, and within every three hundred sixty-five (365) days thereafter.
Implementation Standards
1. An information security and privacy education and awareness training program is developed and
implemented for all employees and individuals working on behalf of the organization and involved in
managing, using, and/or operating information systems.
1. Security and privacy awareness training is provided before granting access to systems and networks, and
within every three hundred sixty-five (365) days thereafter, to all employees and contractors to explain the
importance and responsibility in safeguarding Personally Identifiable Information (PII) and ensuring privacy,
as established in federal legislation and HHS Regulations and CMS and organization guidance.
Guidance
Organizations determine the appropriate content of security and privacy awareness training, and security and privacy
awareness techniques, based on the specific organizational requirements and the information systems to which
personnel have authorized access. The content includes a basic understanding of the need for information security and
user actions to maintain security and privacy, and to respond to suspected security and privacy incidents. The content
also addresses awareness of the need for operations security and privacy related to the organization’s information
security program. Security and privacy awareness techniques can include, for example, displaying posters, offering
supplies inscribed with security and privacy reminders, generating email advisories / notices from senior organizational
officials, displaying logon screen messages, and conducting information security and privacy awareness events.
Assessment Procedure:
Assessment Objective
Determine if the organization has implemented all elements of the AT-2 control as described in the control requirements
and associated implementation standards.
Control
The organization provides role-based security and privacy training to personnel with assigned security and privacy roles
and responsibilities:
c. Before authorizing access to the information system or performing assigned duties; and
d. When required by information system changes; and within every three hundred sixty-five (365)
days thereafter.
Implementation Standards
2. Require personnel with significant information security and privacy roles and responsibilities to undergo
appropriate information system security and privacy training prior to authorizing access to networks,
systems, and/or applications; when required by significant information system or system environment
changes; when an employee enters a new position that requires additional role-specific training; and for
refresher training within every three hundred sixty-five (365) days thereafter.
Guidance
Organizations determine the appropriate content of security and privacy training based on the assigned roles and
responsibilities of individuals and the specific security and privacy requirements of CMS and the information systems to
which personnel have authorized access. In addition, organizations provide enterprise architects, information system
developers, software developers, acquisition/procurement officials, information system managers, system/network
administrators, personnel conducting configuration management and auditing activities, personnel performing
independent verification and validation activities, security control assessors, and other personnel having access to
system-level software, adequate security- and privacy-related technical training specifically tailored for their assigned
duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities
covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example,
policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the
training necessary for individuals to carry out their responsibilities related to operations and supply chain security within
the context of the organization’s information security programs. Role-based security and privacy training also applies to
contractors providing services to the organization.
Assessment Procedure:
Assessment Objective
Determine if the organization has implemented all elements of the AT-3 control as described in the control requirements
and associated implementation standards.
Control
The organization:
e. Documents and monitors individual information system security and privacy training activities including
basic security and privacy awareness training and specific information system security and privacy
training; and
f. Retains individual training records for a minimum of five (5) years.
Guidance
Awareness and Training Family (AT) Security Controls Detail and Comment
Assessment Objective
Determine if the organization has implemented all elements of the AT-4 control as described in the control requirements.