Skip to main content

IAO-03: System Security & Privacy Plan (SSPP)

IAO 7 — High Identify

Mechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical Technology Assets, Applications and/or Services (TAAS), as well as influence inputs, entities and TAAS, providing a historical record of the data and its origins.

Control Question: Does the organization generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical Technology Assets, Applications and/or Services (TAAS), as well as influence inputs, entities and TAAS, providing a historical record of the data and its origins?

General (38)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.2-POF11 CC2.3-POF10 CC2.3-POF11 CC2.3-POF9
GovRAMP Low PL-02
GovRAMP Low+ PL-02
GovRAMP Moderate PL-02
GovRAMP High PL-02
ISO/SAE 21434 2021 RQ-06-02.a RQ-06-02.b RQ-06-02.c RQ-06-03.a RQ-06-03.b RQ-06-03.c RQ-06-03.d RQ-06-03.e RQ-06-03.f RQ-06-05.a RQ-06-05.b RQ-06-06 RQ-06-07 RQ-06-09 RQ-06-10 RQ-06-11 RQ-06-12 RQ-06-33.a RQ-06-33.b RQ-06-33.c RQ-06-34.a RQ-06-34.b RQ-06-34.c RQ-09-01.a RQ-09-01.b RQ-09-01.c RQ-09-02 RQ-09-08.a RQ-09-08.b RQ-09-09
ISO 31010 2009 5.5
NIST AI 100-1 (AI RMF) 1.0 MANAGE 4.0
NIST Privacy Framework 1.0 ID.IM-P7 ID.IM-P8 ID.BE-P3 CM.AW-P6 PR.PO-P4
NIST 800-37 R2 C-2 S-4
NIST 800-53 R4 PL-2
NIST 800-53 R4 (low) PL-2
NIST 800-53 R4 (moderate) PL-2
NIST 800-53 R4 (high) PL-2
NIST 800-53 R5 (source) PL-2
NIST 800-53B R5 (privacy) (source) PL-2
NIST 800-53B R5 (low) (source) PL-2
NIST 800-53B R5 (moderate) (source) PL-2
NIST 800-53B R5 (high) (source) PL-2
NIST 800-82 R3 LOW OT Overlay PL-2
NIST 800-82 R3 MODERATE OT Overlay PL-2
NIST 800-82 R3 HIGH OT Overlay PL-2
NIST 800-161 R1 PL-2
NIST 800-161 R1 C-SCRM Baseline PL-2
NIST 800-161 R1 Flow Down PL-2
NIST 800-161 R1 Level 3 PL-2
NIST 800-171 R2 (source) 3.12.4
NIST 800-171A (source) 3.12.4[a] 3.12.4[b] 3.12.4[c] 3.12.4[d] 3.12.4[e] 3.12.4[f] 3.12.4[g] 3.12.4[h]
NIST 800-171 R3 (source) 03.04.11.b 03.15.02.a 03.15.02.a.01 03.15.02.a.02 03.15.02.a.03 03.15.02.a.04 03.15.02.a.05 03.15.02.a.06 03.15.02.a.07 03.15.02.a.08 03.15.02.b
NIST 800-171A R3 (source) A.03.04.11.a[02] A.03.04.11.a[03] A.03.04.11.b[01] A.03.04.11.b[02] A.03.15.02.ODP[01] A.03.15.02.a.01 A.03.15.02.a.02 A.03.15.02.a.03 A.03.15.02.a.04 A.03.15.02.a.05 A.03.15.02.a.06 A.03.15.02.a.07 A.03.15.02.a.08 A.03.15.02.b[01] A.03.15.02.b[02] A.03.15.02.c
NIST 800-172 3.11.4e
UN R155 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h)
UN ECE WP.29 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h)
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAO-03
SCF CORE ESP Level 1 Foundational IAO-03
SCF CORE ESP Level 2 Critical Infrastructure IAO-03
SCF CORE ESP Level 3 Advanced Threats IAO-03
SCF CORE AI Model Deployment IAO-03
US (24)
Framework Mapping Values
US CERT RMM 1.2 AM:SG1.SP1 EF:SG2.SP1 TM:SG1.SP1 TM:SG2.SP1 TM:SG2.SP2
US CJIS Security Policy 5.9.3 (source) 5.7.2
US CMMC 2.0 Level 2 (source) CA.L2-3.12.4
US CMMC 2.0 Level 3 (source) CA.L2-3.12.4 RA.L3-3.11.4E
US CMS MARS-E 2.0 PL-2
US FedRAMP R4 PL-2
US FedRAMP R4 (low) PL-2
US FedRAMP R4 (moderate) PL-2
US FedRAMP R4 (high) PL-2
US FedRAMP R4 (LI-SaaS) PL-2
US FedRAMP R5 (source) PL-2
US FedRAMP R5 (low) (source) PL-2
US FedRAMP R5 (moderate) (source) PL-2
US FedRAMP R5 (high) (source) PL-2
US FedRAMP R5 (LI-SaaS) (source) PL-2
US HIPAA HICP Large Practice 9.L.C
US IRS 1075 PL-2
US NISPOM 2020 8-311 8-610
US NNPI (unclass) 12.1
US SSA EIESR 8.0 5.2
US TSA / DHS 1580/82-2022-01 III.B.2 III.B.2.a III.B.2.b
US - TX DIR Control Standards 2.0 PL-2
US - TX TX-RAMP Level 1 PL-2
US - TX TX-RAMP Level 2 PL-2
EMEA (3)
Framework Mapping Values
EMEA EU AI Act 11.1
EMEA Qatar PDPPL 11.1
EMEA UK DEFSTAN 05-138 2301
APAC (2)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0041 ISM-0432
APAC New Zealand NZISM 3.6 3.4.12.C.01 3.4.12.C.02 4.3.17.C.01 4.3.18.C.01 4.3.18.C.02 4.3.18.C.03 4.3.18.C.04 4.3.18.C.05 5.1.8.C.01 5.1.9.C.01 5.1.10.C.01 5.4.5.C.01 5.4.5.C.02 5.4.5.C.03
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.04.11.B 03.15.02.A 03.15.02.A.01 03.15.02.A.02 03.15.02.A.03 03.15.02.A.04 03.15.02.A.05 03.15.02.A.06 03.15.02.A.07 03.15.02.A.08 03.15.02.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical Technology Assets, Applications and/or Services (TAAS), as well as influence inputs, entities and TAAS, providing a historical record of the data and its origins.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical Technology Assets, Applications and/or Services (TAAS), as well as influence inputs, entities and TAAS, providing a historical record of the data and its origins.

Level 2 — Planned & Tracked

Information Assurance (IA) is requirements-driven and governed at a local/regional level, but not consistently across the enterprise. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for pre-production cybersecurity and data privacy control testing.
  • IT personnel implement and maintain an established a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data privacy control testing.
  • IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Administrative processes exist to ensure Business process owners (BPOs) develop and maintain System Security Plans (SSPs) or similar documentation, to identify and maintain key architectural information for each business-critical Technology Assets, Applications and/or Services (TAAS).
Level 3 — Well Defined

Information Assurance (IA) is standardized across the enterprise and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cybersecurity personnel implement and maintain an established Information Assurance Program (IAP) capability to conduct “business as usual” pre-production cybersecurity and data privacy control testing focused on the concept of “security and data privacy be design and by default.”
  • The IAP validates that systems/applications/services/processes are both secure and compliant.
  • A Governance, Risk & Compliance (GRC) function, or similar function, facilitates the implementation of cybersecurity and data protection controls to ensure that secure engineering practices are designed and implemented throughout the lifecycle of systems, applications and services both internal and external to the organization.
  • A Project Management Office (PMO), or project management function, ensures project involvement for IAP as part of the organization's established project management processes.
  • A Plan of Action and Milestones (POA&M) or similar mechanism, exists to document planned remediation actions to correct weaknesses or deficiencies noted during the assessment of the security controls, helping to reduce or eliminate known vulnerabilities.
  • Administrative processes prevent systems/applications/services/processes from “going live” in a production environment without first going through the IAP process.
  • The IAP uses a tiered approach to conformity testing, based on (1) the sensitivity of data that is stored, processed and/ or transmitted and (2) the criticality of the system/application/service/process.
  • Administrative processes exist to ensure Business Process Owners (BPOs) develop and maintain System Security Plans (SSPs) or similar documentation, to identify and maintain key architectural information for each business-critical Technology Assets, Applications and/or Services (TAAS).
Level 4 — Quantitatively Controlled

Information Assurance (IA) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in the review process for proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical Technology Assets, Applications and/or Services (TAAS), as well as influence inputs, entities and TAAS, providing a historical record of the data and its origins.

Assessment Objectives

  1. IAO-03_A01 the system boundary is described and documented in the system security plan.
  2. IAO-03_A02 the system components on which sensitive / regulated data is processed are identified and documented.
  3. IAO-03_A03 the system components on which sensitive / regulated data is stored are identified and documented.
  4. IAO-03_A04 changes to the system or system component location where sensitive / regulated data is processed are documented.
  5. IAO-03_A05 changes to the system or system component location where sensitive / regulated data is stored are documented.
  6. IAO-03_A06 a system security plan that describes specific threats to the system that are of concern to the organization is developed.
  7. IAO-03_A07 a system security plan that describes the safeguards in place or planned for meeting the security requirements is developed.
  8. IAO-03_A08 a system security plan that identifies individuals that fulfill system roles and responsibilities is developed.
  9. IAO-03_A09 a system security plan that includes other relevant information necessary for the protection of sensitive / regulated data is developed.
  10. IAO-03_A10 the system security plan is reviewed per an organization-defined frequency.
  11. IAO-03_A11 the system security plan is protected from unauthorized disclosure.
  12. IAO-03_A12 the security requirements identified and approved by the designated authority as non-applicable are identified.
  13. IAO-03_A13 the method of security requirement implementation is described and documented in the system security plan.
  14. IAO-03_A14 the relationship with or connection to other systems is described and documented in the system security plan.
  15. IAO-03_A15 the system security plan documents or references the security solution selected.
  16. IAO-03_A16 the system security plan documents or references the rationale for the security solution.
  17. IAO-03_A17 the system security plan documents or references the risk determination.
  18. IAO-03_A18 individuals or groups with whom cybersecurity / data privacy-related activities affecting the system that require planning and coordination is/are assigned.
  19. IAO-03_A19 personnel or roles to receive distributed copies of the system cybersecurity / data privacy plans is/are assigned.
  20. IAO-03_A20 the frequency at which the system security plan is reviewed and updated is defined.
  21. IAO-03_A21 the system security plan is updated per an organization-defined frequency.
  22. IAO-03_A22 a security plan for the system is developed that is consistent with the organization's enterprise architecture.
  23. IAO-03_A23 a privacy plan for the system is developed that is consistent with the organization's enterprise architecture.
  24. IAO-03_A24 a system security plan that defines the constituent system components is developed.
  25. IAO-03_A25 a privacy plan for the system is developed that explicitly defines the constituent system components.
  26. IAO-03_A26 a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes.
  27. IAO-03_A27 a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes.
  28. IAO-03_A28 a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities.
  29. IAO-03_A29 a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities.
  30. IAO-03_A30 a system security plan that identifies the information types processed, stored, and transmitted by the system is developed.
  31. IAO-03_A31 a privacy plan for the system is developed that identifies the information types processed, stored and transmitted by the system.
  32. IAO-03_A32 a security plan for the system is developed that provides the security categorization of the system, including supporting rationale.
  33. IAO-03_A33 a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale.
  34. IAO-03_A34 a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization.
  35. IAO-03_A35 a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization.
  36. IAO-03_A36 a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing Personal Data (PD).
  37. IAO-03_A37 a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing Personal Data (PD).
  38. IAO-03_A38 a system security plan that describes the operational environment for the system and any dependencies on or connections to other systems or system components is developed.
  39. IAO-03_A39 a system security plan that provides an overview of the security requirements for the system is developed.
  40. IAO-03_A40 a privacy plan for the system is developed that provides an overview of the privacy requirements for the system.
  41. IAO-03_A41 a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable.
  42. IAO-03_A42 a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable.
  43. IAO-03_A43 a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions.
  44. IAO-03_A44 a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions.
  45. IAO-03_A45 a security plan for the system is developed that includes risk determinations for security architecture and design decisions.
  46. IAO-03_A46 a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions.
  47. IAO-03_A47 a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with individuals or groups.
  48. IAO-03_A48 a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with individuals or groups.
  49. IAO-03_A49 a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
  50. IAO-03_A50 a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
  51. IAO-03_A51 copies of the plans are distributed to personnel or roles.
  52. IAO-03_A52 subsequent changes to the plans are communicated to personnel or roles.
  53. IAO-03_A53 plans are reviewed frequently.
  54. IAO-03_A54 plans are updated to address changes to the system and environment of operations.
  55. IAO-03_A55 plans are updated to address problems identified during the plan implementation.
  56. IAO-03_A56 plans are updated to address problems identified during control assessments.
  57. IAO-03_A57 plans are protected from unauthorized disclosure.
  58. IAO-03_A58 plans are protected from unauthorized modification.
  59. IAO-03_A59 the system components on which CUI is stored are identified and documented.
  60. IAO-03_A60 the system components on which CUI is stored are identified and documented.
  61. IAO-03_A61 changes to the system or system component location where CUI is processed are documented.
  62. IAO-03_A62 changes to the system or system component location where CUI is stored are documented.
  63. IAO-03_A63 a system security plan that includes other relevant information necessary for the protection of CUI is developed.
  64. IAO-03_A64 the system security plan is reviewed <A.03.15.02.ODP[01]: frequency>.
  65. IAO-03_A65 the system security plan is updated <A.03.15.02.ODP[01]: frequency>.

Evidence Requirements

E-TDA-14 System Security Plan (SSP)

Documented evidence of at least one (1) System Security Plan (SSP) that covers the sensitive/regulated data environment. There may be multiple SSPs, based on applicable contracts.

Technology Design & Acquisition

Technology Recommendations

Micro/Small

  • System Security Plan (SSP)
  • System Security & Privacy Plan (SSPP)

Small

  • System Security Plan (SSP)
  • System Security & Privacy Plan (SSPP)

Medium

  • System Security Plan (SSP)
  • System Security & Privacy Plan (SSPP)

Large

  • System Security Plan (SSP)
  • System Security & Privacy Plan (SSPP)

Enterprise

  • System Security Plan (SSP)
  • System Security & Privacy Plan (SSPP)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free