Documenting Security Controls
The Documenting Security Controls step involves the tasks and deliverables below. Please refer to the FedRAMP Concept of Operations document for more detailed information.
- The CSP documents the security control implementation in a System Security Plan (SSP).
- The CSP submits the SSP and supporting documentation to their assigned FedRAMP ISSO for review.
- After the CSP addresses the ISSO's concerns and the SSP is in its final state, the ISSO submits it to the JAB for review.
- The JAB assesses the SSP to ensure it addresses the security needed for that cloud system and the CSP can move onto the security testing step. If the JAB has concerns, the FedRAMP PMO informs the CSP of those concerns and the CSP can address them and resubmit the documentation.
| Deliverable | Description |
|---|---|
| System Security Plan | This document describes how the controls are implemented within the cloud system and its environment of operation. The SSP is also used to describe the system boundaries. |
| Information Security Policies | This document describes the CSP's Information Security Policy that governs the system described in the SSP. |
| User Guide | This document describes how leveraging agencies use the system. |
| Rules of Behavior | This document is sued to define the rules that describe the system user's responsibilities and expected behavior with regard to information and information system usage and access. |
| IT Contingency Plan | This document details how the recovery of the system occurs in the case of a disruption of service. |
| Configuration Management Plan | This plan describes how changes to the system are managed and tracked |
| Incident Response Plan | This plan documents how incidents are detected, reported, and escalated, handled, and remediated. |
| E-Authentication Workbook | This template is used to indicate if E-Authentication will be used in the cloud system and defines the required authentication level. |
| Privacy Impact Assessment | This document assesses what Personally Identifiable Information (PII) is captured and if it is being properly safeguarded. |
