CMMC Practice CA.L2-3.12.4

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Bold Coast Security Guidance

For Level 2 compliance, you must have a formal set of information security policies that require procedures and plans providing guidance on how your policy statements are met. These procedures and plans can go by many names. You might have a set of separate Standard Operating Procedures, or policy standards, or fully developed plans as described in the NIST guidance.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls . System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended . Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained . This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture,system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a non-federal organization and whether it is advisable to pursue an agreement or contract with the non-federal organization. NIST SP 800-18 provides guidance on developing security plans.

References

  • NIST SP 800-171 Rev 1 3.12.4
  • NIST CSF v1.1 PR.IP-7
  • NIST SP 800-53 Rev 4 PL-2
  • x
  • x
  • x