▲    A prototype development work plan and staffing schedule

In addition, the project may need to be presented to the administration if required.

4.3.1  System Security Plan (SSP).  The SSP documents the security risks (not project risks) and overall system security categorization in terms of potential level of impact (Low, Moderate, High) for each of the security objectives of confidentiality, integrity, and availability of federal information and information systems. The plan documents the security processes that will be implemented and tested in the Security Controls Assessment (SCA) plan. The SCA plan is the basis for System Certification and Accreditation and acceptance of residual security risk. The System Security Plan includes the following components:

▲    System Boundary Summary – Describes what constitutes the system for the purposes of the SSP.

▲    IT System Security Categorization and Sensitivity – The System Security Categorization classifies the system as a Major Application or a General Support system. The Security Sensitivity identifies the potential level of impact as Low (limited impact), Moderate (serious impact), or High (severe or catastrophic impact) for confidentiality, integrity, and availability of federal information and information systems. The categorization and sensitivity determines the minimum management, operational, and technical security controls required for information and information systems. See Federal Information Processing Standards (FIPS) 199 – Standards for Security Categorization of Federal Information and Information Systems. (http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf).  Guidance on the use of FIPS 199 can be found in NIST Special Publication 800-60.

▲    4.3.2  Configuration Management Approach – Develop the approach for managing change over the development and production life cycle of the system – application and operating system software, configuration settings, interfaces, and hardware.  Note: A security risk assessment differs greatly from a project risk assessment. A security risk assessment assesses the security risks to the information system itself whereas a project risk assessment assesses the project risks.

4.3.3 Contingency and Disaster Recovery Approach – Prepare an approach for responding to man-made or natural incidents or disasters.