Quite often system security plans (SSPs) are viewed solely through the lens of compliance. And if given the opportunity, many agencies and cloud service providers (CSPs) would avoid them. This isn’t surprising since SSPs can be be arduous to create, cumbersome to navigate, and are extremely labor intensive.
However, when it comes to FedRAMP, a SSP is your business card, your golden key, and your best advertisement. It’s the critical first document submitted to FedRAMP, and often the make-it-or-break-it file that determines whether you’re granted access. It needs to be a concise, with a structured format, and all the relevant information. Your SSP will serve as the document that lets FedRAMP and agencies know that you have a comprehensive and current understanding of your business function, architecture, assets, and responsibilities. It demonstrates that you are a CSP that can be trusted with their business.
To promote the adoption of the cloud, FedRAMP standardized documentation and security requirements, ensuring consistency and providing a level of assurance to participating agencies. This effort begins with your FedRAMP SSP. A proper SSP should have the following key components:
- System function
- Accreditation Boundary
- Flow diagram
- Asset inventory
- Control implementations
- Rules of behavior
- Policies and procedures
- User guide
- E-authentication worksheet
It’s common for SSPs to be submitted with out the flow diagram or system function if there is an accreditation boundary diagram. However, all three components serve uniquely different roles. The system function outlines the purpose and function of the system. The accreditation boundary graphically displays the interconnections and assets within the boundary. And the flow diagram describes how data moves within the system.
Another common omission is the interconnection section. This section describes the connections between the system and an external system. The agreements that govern that connection are also listed here. On top of omissions, FedRAMP also sought to clean up the variance in control implementation language, while ensuring the implementation statement remain detailed.
The rules of behavior, policies, procedures, e-authentication worksheet, plans and user guide appear in the SSP as appendixes. The user guide serves an important function in FedRAMP, it outlines the roles and responsibilities of the CSP juxtaposed to the customer’s.
Once completed, an SSP can serve as an inventory for your system, training tool for new or transitioning employees, checklist for your maintenance staff, as well as a guide to handling crises. Your SSP will also be submitted and verified for compliance with FedRAMP. This intensive effort was devised with the intention of achieving FedRAMP’s goals to:
- Increase reuse of existing security assessments across agencies.
- Save significant cost, time, and resources.
- Improve real-time security visibility.
- Provide a uniform approach to risk-based management.
- Enhance transparency between government and CSPs.
- Improves the trustworthiness, reliability, consistency, and quality of the federal security authorization process.
All of these things are achieved through a standard development, assessment, authorization, and continuous monitoring process. With a good SSP in place, it’s likely that you’ve received your authorization to operate. However it is something that has to be constantly maintained. This leads us to the continuous monitoring phase.
A good documentation and review culture is essential to the SSP continuous monitoring process. A SSP is a living document and should be kept current as regulations, policy, procedure, and system changes are made. These changes should be informed by lessons learned during procedure review, plan tests, and incident responses. An inaccurate SSP is almost as bad as not having a SSP at all, and it can lead to the loss of your FedRAMP ATO.
Furthermore, a well-constructed SSP allows for regulatory bodies, management, and stakeholders to understand and review your risk posture. Adherence to control implementations ensures consistent application of security guidelines across FedRAMP. And a properly documented review, testing, and update culture exudes a level of reassurance that you have the procedures and resources in place to adequately address system risks. A CSP that’s demonstrated an ability to meticulously describe and document their system, review for effectiveness their procedures, and proactively address issues as they arise is a highly competent one – and one that clients will trust.