fedramp security plan

How to Write a FedRAMP System Security Plan

The Federal Risk Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring of Cloud Service Providers (CSPs) that do business with the Federal government.

CSPs must achieve FedRAMP Authorization status to do business with the federal government. One of the key requirements for attaining this status is developing a System Security Plan (SSP), a comprehensive document describing the CSP’s security controls, systems architecture, and roles and responsibilities. FedRAMP sets a high bar for security. FedRAMP security baselines include additional controls above and beyond the National Institute of Standards and Technology (NIST) Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations framework for cloud security risks which the model is based on.

What Resources Will I Need?

An SSP is an extensive document that requires a considerable time and resource commitment to complete. Organizations will need team members with deep technical knowledge of your security controls, systems and network architecture, data flows, service inventory, and organizational roles and responsibilities for managing and accessing your system environment. Tevora also recommends having experienced technical writers on the team to ensure the system SSP is clear and concise. Finally, it’s very beneficial to have team members that are familiar with FedRAMP and have experience writing SSPs for other organizations. If these resources are not present within the organization, Tevora recommends bringing in advisors, consultants, or contractors with the required skills to compliment your team.

Tevora recommends assigning an internal team members serve as the project manager for writing the SSP as it will require a coordinated effort with input from a variety of domain experts. Tevora has found that a technical writer with project management experience is often an excellent project manager candidate

How Long Will It Take to Write an SSP?

The amount of time it will take to write an SSP will depend on the amount of documentation that your company has already prepared to document its security controls, systems and network architecture, data flows, service inventory, and organizational roles and responsibilities for managing and accessing the applicable system. In our experience, the amount of time required can vary from several weeks to several months. If you need to bring in outside expertise to assist with writing your SSP, you’ll need to consider the amount of time it will take to identify and reach contractual agreements with these parties. An SSP requires several supporting documents and all control families require supporting policies, standards, and procedures to be clearly defined and disseminated.

Choosing an SSP Document Template

FedRAMP offers detailed Microsoft Word document templates that provide notes and outlines to guide organizations in writing an SSP. Once an organization identifies the appropriate template for the system environment, you can download it and begin adding your content to the designated sections.

FedRAMP provides SSP templates for systems that qualify as “Low,” “Moderate” and “High” sensitivity levels based on the NIST FIPS 199: Standards for Security Categorization of Federal Information and Information Systems. FIPS 199 classifies systems based on the types of information that may be stored within the information system. In general, systems that store very sensitive information such as personally identifiable information (PII) will be classified as High sensitivity level systems. Systems using less sensitive information will be assigned Moderate or Low sensitivity levels. Details on the FIPS 199 system categorization can be found here.

Once the appropriate sensitivity level is determined for the system (Low, Moderate, or High), it’s easy to download the corresponding FedRAMP SSP template and begin filling it out to complete your SSP.

SSP Content

Below are the topics covered in the SSP template for the High sensitivity level. The topics for Moderate and Low sensitivity levels are similar but somewhat less stringent.

    1. Information System Name/Title
    2. Information System Categorization
      • Information Types
      • Security Objectives Categorization (FIPS 199)
      • Digital Identity Determination
    3. Information System Owner
    4. Authorization Officials
    5. Other Designated Contacts
    6. Assignment of Security Responsibility
    7. Information System Operational Status
    8. Information System Type
      • Cloud Service Models
      • Cloud Deployment Models
      • Leverage Authorizations
    9. General System Description
      • System Function or Purpose
      • Information System Components and Boundaries
      • Types of Users
      • Network Architecture
    10. System Environment and Inventory
      • Data Flow
      • Ports, Protocols and Services
    11. System Interconnections
    12. Laws, Regulations, Standards and Guidance
      • Applicable Laws and Regulations
      • Applicable Standards and Guidance
    13. Minimum Security Controls
      • Access Control (AC)
      • Awareness and Training (AT)
      • Audit and Accountability (AU)
      • Security Assessment and Authorization (CA)
      • Configuration Management (CM)
      • Contingency Planning (CP)
      • Identification and Authentication (IA)
      • Incident Response (IR)
      • Maintenance (MA)
      • Media Protection (MP)
      • Physical and Environmental Protection (PE)
      • Planning (PL)
      • Personnel Security (PS)
      • Risk Assessment (RA)
      • System and Services Acquisition (SA)
      • System and Communications Protection (SC)
      • System and Information Integrity (SI)
    14. Acronyms
    15. Attachments
      • Information Security Policies and Procedures
      • User Guide
      • Digital Identity Worksheet
      • PTO/PIA
      • Rules of Behavior
      • Information Systems Contingency Plan
      • Configuration Management Plan
      • Incident Response Plan
      • CIS Workbook
      • FIPS 199
      • Separation of Duties Matrix
      • FedRAMP Laws and Regulations
      • FedRAMP Inventory Workbook

Additionally, within section 13 listed above, organizations must document a responsible role, determine the implementation status, declare the control origination, and explain what the solution is and how it is implemented for each of the required security controls. The following shows the number of controls for each impact level.

Impact Level Required Controls
Low 125
Moderate 325
High 421

Just reviewing the outline, it’s clear that the amount of information that must be included, and the work required to write an SSP is substantial to say the least.

For more detailed information on writing a FedRAMP System Security Plan, see Tevora’s white paper on Composing a FedRAMP System Security Plan.

We Can Help

As one of the few firms that FedRAMP has approved as a Third-Party Assessment Organization (3PAO), Tevora’s team knows exactly what steps an organization needs to take to ensure your business is ready for FedRAMP certification. Tevora has worked with many of the world’s largest companies to help them write SSP documents and perform remediation needed to prepare for this rigorous certification process. We would welcome the chance to do the same for you.

You can find more information about Tevora’s FedRAMP services on the FedRAMP Marketplace.

If you’d like to learn more about how Tevora can help you write a FedRAMP SSP, perform a Readiness Assessment, assist in your remediation efforts to prepare for FedRAMP authorization, just give us a call at (833) 292-1609 or email us at fedramp@tevora.com

Addendum A: Composing a FedRAMP System Security Plan

 

About the Author
Jeremiah Sahlberg is a Managing Director – Federal, Third Party Risk at Tevora.

Kaitlyn Bestenheider is an Information Security Analyst at Tevora.