Revision A ADMINISTRATIVELY CONTROLLED INFORMATION
Security Plan for the [insert system name here]
[Insert Directorate Name here]
Issue Date:MM-DD-YYYY
Effective Date:MM-DD-YYYY
Verify that this is the correct version before use.
[Insert Document Revision Letter here; e.g., “Rev. A”
This document contains information that is sensitive to the foregoing organization. Reproduction or distribution of this document should be done only with the written approval of the management of this organization. When unattended, this document should be stored in a facility commensurate with its sensitivity.
This document was prepared for and is the property of the National Aeronautics and Space Administration and has not been approved for public release.
National Aeronautics and
Space Administration
[Center Name]
[Center Location]
This page to be filled out in accordance with Center policy and requirements
Security Plan for the [Insert system name here]
Issue Date: MM-DD-YYYY
Effective Date: MM-DD-YYYY
[Insert Doc Rev Letter here; e.g. “Rev A”]
Prepared by:
______MM-DD-YYYY
[Information System Security Official (ISSO) name] Date
[ISSO title]
Approved by:
______MM-DD-YYYY[Authorizing Official] Date
[Authorizing Official’s Title]
National Aeronautics and Space Administration
[Center Name]
[Center Location]
Document Revision Log
Revision Letter / Change Date / Originator/Phone / DescriptionInsert the Table of Contents here
1.0Executive Summary
Master IT System Security Plan / Subordinate IT System Security PlanMajor Application / General Support System
Mission Essential System
Initiation Phase / Operations/Maintenance Phase
Acquisition Phase/Development / Disposal Phase
Implementation Phase
Master Plan
Master System Unique Identifier / Number
Unique Program Identifier (UPI) / Number
Plan Name / Name
Responsible Program/ Functional Officer / Name
Plan System Owner / Name
Certification Agent / Name
Authorizing Official / Name
Plan Short Description / Text
Type of Information / Text
Impact Level / Text
Authorized to Operate (Accredited) / Date
Interim Authorization to Operate (IATO) / Date
Expiration Date of IATO / Date
Annual Testing of Controls / Date
Annual Testing of Contingency Plan / Date
Subordinate Plan
(repeat section as many times as necessary)
Date of Last Update / Date
Subordinate System Unique Identifier / Number
Plan Name / Name
Responsible Program/Functional Officer / Name
Plan System Owner / Name
Line Manager (if applicable) / Text
Certification Agent / Name
Authorizing Official / Name
Plan Short Description / Text
Type of Information / Text
Impact Level / Text
Authorized to Operate (Accredited) / Date
Interim Authorization to Operate / Date
Expiration Date of IATO / Date
Annual testing of Controls / Date
Annual Testing of Contingency Plan / Date
Describe any residual risks
Describe what steps were taken to mitigate the risks
Describe the impact to NASA if the risk(s) were to be successfully exploited
Describe the results of the certification process
Was the system recommended for accreditation? If not, why not?
Insert the Signed Letter of Accreditation here
Statement of Readiness for Certification and Accreditation
The IT system security plan and executive summary accurately describes the security posture of this system and all residual risks associated with this system and NASA’s information.
I (we) confirm that all required steps have been successfully accomplished in preparing this system for the certification process.
As signed by:
______
(System Owner)(Date)
______
(Line Manager)(Date)
______
(OCSO)(Date)
______
(ISSO)(Date)
______
(Information Owner)(Date)
______
(CIO, if required)(Date)
______
(ITSM, if required) (Date)
2.0Plan Development
2.1System Identification
Master IT System Security Plan / Subordinate IT System Security PlanMajor Application / General Support System
Mission Essential System
2.2Life Cycle Status
Initiation Phase / Operations/Maintenance PhaseAcquisition Phase/Development / Disposal Phase
Implementation Phase
2.3General System Information
Date of Last Update / DateSystem Unique Identifier (Master or Subordinate) / Number
UPI Identifier / Number
Plan Name / Name
Responsible Program/ Functional Officer / Name
Plan System Owner / Name
Line Manager (if applicable) / Name
Certification Agent / Name
Authorizing Official / Name
Plan Short Description / Text
Type of Information / Text
Impact Level / Text
Authorized to Operate (Accredited) / Date
Interim Authorization to Operate (IATO) / Date
Expiration Date of IATO / Date
Annual Testing of Controls / Date
Annual Testing of Contingency Plan / Date
2.4Key Information Contacts
Line Manager (Day-to-day system manager)Name / Name
Title / Name
E-Mail Address / Text
Work Phone Number / Number
Pager Number / Number
Cell Phone Number / Number
Chief Information Officer
Name / Name
E-Mail Address / Text
Work Phone Number / Number
Pager Number / Number
Cell Phone Number / Number
Organization Computer Security Official
Name / Name
E-Mail Address / Text
Work Phone Number / Number
Pager Number / Number
Cell Phone Number / Number
Information System Security Officer
Name / Name
E-Mail Address / Text
Work Phone Number / Number
Pager Number / Number
Cell Phone Number / Number
System Administrator
Name / Name
E-Mail Address / Text
Work Phone Number / Number
Pager Number / Number
Cell Phone Number / Number
2.5General Description/Purpose
2.6System Environment
2.7System Interconnection/Information Sharing
2.8Applicable Laws or Regulations Affecting the System
2.9General Description of Information Sensitivity
System Information Types / Confidentiality / Integrity / AvailabilityType 1
Type 2
Type 3, etc.
System Security Category
Overall system security category is ______
(1) For each information type, provide a short description of your methodology.
3.0Management Controls
3.1Risk Assessment and Management
3.2Review of Security Controls
3.3Rules of Behavior
3.4Planning for Security in the Life Cycle
(1) Initiation Phase
(2) Acquisition/development Phase
Questions / Yes / No(i) During the system design, were security requirements identified?
(ii) Were the appropriate security controls with associated evaluation and test procedures developed before the procurement action?
(iii) Did the solicitation documents (e.g., Request for Proposals) include security requirements and evaluation/test procedures?
(iv) Did the requirements permit updating security requirements as new threats/vulnerabilities are identified and as new technologies are implemented?
Were security requirements identified and included in the acquisition specifications, if this is a purchased commercial application or the application contains commercial, off-the-shelf components,?
(i) Provide a short description for each answer given.
(3) Implementation Phase
Questions / Yes / No(i) Were design reviews and systems tests run prior to placing the system in production?
Were the tests documented?
Has the system been certified?
Has the system been accredited (authorized to process)?
(ii) Have security controls been added since development?
If so, was the system tested and re-certified?
(iii) Has the application undergone a technical evaluation to ensure that it meets applicable federal laws, regulations, policies, guidelines, and standards?
(iv) Include the date of the certification and accreditation. If the system is not authorized yet, include date when the accreditation request will be made.
(i) Provide a short description for each answer given.
(4) Operation/Maintenance Phase
(5) Disposal Phase
3.5Certification and Accreditation
4.0Operational Controls
4.1Personnel Controls
Questions / Yes / No(i) Have all positions been reviewed for information or system privilege level?
(ii) Have individuals received background checks appropriate for the position to which they are assigned
(iii) Is user access restricted to the minimum necessary to perform the job?
(iv) Is there a process for requesting, establishing, issuing, and closing user accounts?
(v) Are critical functions divided among different individuals (separation of duties)?
(i) Provide a short description for each answer given.
4.2Physical and Environmental Protection
4.3Production, Input/Output Controls
4.4Contingency Planning
Yes / No / Not NeededBusiness Continuity Plan
Business Impact Analysis
Business Recovery/Resumption Plan
Contingency Plan
Continuity of Operations Plan
Disaster Recovery Plan
Incident Response Plan
Other: (list type of plan here)
(i) Provide a short description for each answer given.
(2) As a minimum, a contingency plan will be in place and will include the following:
(i) List the primary recovery team members:
Team Member Name / Role / Work Phone / Pager / Home Phone4.5Application Software Maintenance Controls
a. Describe the following software maintenance controls for each software application:
Questions / Yes / No(1) Was the application software developed in-house or under contract?
(2) Does the government own the software?
(3) Was the software received from another agency?
(4) Is the application software a copyrighted commercial off-the-shelf product or shareware?
(5) Has the software been properly licensed and enough copies purchased for all systems?
(6) Is there a formal change control process in place and if so, does it require that all changes to the application software be tested and approved before being put into production?
(7) Is test data livedata or made-up data used in the testing of the application?
(8) Are all changes to the application software documented?
(9) Are software test results documented?
(10) Are there organizational policies against illegal use of copyrighted software or shareware?
(11) Are periodic audits conducted of users’ computers to ensure only legal licensed copies of software are installed?
(12) Are software warranties managed to minimize the cost of upgrades and cost reimbursement or replacement for deficiencies?
(i) Provide a short description for each answer given.
.
4.6Hardware and System Software Maintenance Controls
4.7Data Integrity/Validation Controls
.
4.8Documentation
4.9Security Awareness and Training
a. Is training provided for the following:
Training Provided / Yes / NoRules of the system
Responsibilities described in the NPR 2810.1
How to detect and respond to suspected and real IT security incidents
How to get help in using the information system or its security features
NASA and Center IT security policies, procedures, and guidelines
(i) Provide a short description for each answer given.
4.10IT Security Incident Response
5.0Technical Controls
5.1Identification and Authentication
5.2Logical Access Controls
5.3Public Access Controls
5.4Audit Trails
5.5System and Communication Protection
Appendix A – Acronyms
Appendix B – Attachments
Appendix C – Risk Analysis
Appendix D – Contingency Plan(s)
Other Appendices and Attachments
ADMINISTRATIVELY CONTROLLED INFORMATION
Page 1 of 15