Agency System Security Plan

Table of ContentsAgency Name..........................................................................................................................2

1. Information System Name/Title......................................................................................2

2. Information System Categorization.................................................................................2

3. Information System Owner..............................................................................................3

4. Authorizing Official/Accountable Party in Agency............................................................3

5. Assignment of Security Responsibility..............................................................................3

6. Information System Operational Status...........................................................................4

7. Information System Type:................................................................................................4

8. General System Description/Purpose...............................................................................4

9. System Environment........................................................................................................4

10. System Interconnections/Information Sharing.............................................................5

11. Related Laws/Regulations/Policies..............................................................................5

12. Minimum Security Controls.........................................................................................6

13. Information System Security Plan Completion and Approval Date(s)............................7

Agency Name

<<Name>>

1. Information System Name/Title

<<Unique identifier and name given to the system>>

2. Information System Categorization

Place one ‘X’ in each row of the table below, based on the FIPS 199 Impact Guidance:

Low Moderate High ConfidentialityIntegrityAvailability Overall*

Overall impact score should use the high water-mark approach. If two categories are ‘Low’ and one is ‘High’, the overall score should still be ‘High.’ The embedded Excel template will calculate the overall score based on responses.

FIPS 199 Impact Guidance:

2

3. Information System Owner

Name: Title: Agency:Email:Phone:

4. Authorizing Official/Accountable Party in Agency

Name: Title: Agency:Email:Phone:

5. Assignment of Security Responsibility

Name: Title: Agency:Email:Phone:

3

6. Information System Operational Status

Status CommentsOperational <<Place X for yes>>Under Development <<Place X for yes>>Major Modification <<Place X for yes>>

7. Information System Type: Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in the next section (General System Description/Purpose).

Status CommentsMajor Application <<Place X for yes>>General Support System <<Place X for yes>>

8. General System Description/PurposeDescribe the function or purpose of the system and the information processes:

9. System Environment

Provide a general description of the technical system. Include the primary hardware, software, and communications equipment:

4

10. System Interconnections/Information Sharing

List interconnected systems using the table below. You can add more columns as necessary:

System 1 System 2 System 3 System 4System Name:Agency:Major App or General Support System:Interconnection Security Agreement (ISA)?Memorandum of Understanding (MOU)?Memorandum of Agreement (MOA)?Confidentiality (H, M, L)Integrity (H, M, L)Availability (H, M, L)

11. Related Laws/Regulations/Policies

List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system (e.g., PCI, HIPAA):

Law/Regulation Applicable version(s) Comments

5

12. Minimum Security Controls

Complete the following worksheet to determine the appropriate controls from NIST 800-53 (Revision 4) and the current status of implementation. If an applicable control isn’t implemented, not designed or operating effectively, provide an explanation of planned security controls or compensating controls.

As a reference, use the latest version of NIST SP800-53 (Revision 4):

6

13. Information System Security Plan Completion and Approval Date(s)

Completion date of the plan:Completed by:

Approval date of the plan:Approved by:

7