|
Date Published: June 4, 2025 Jeremy Licata (NIST), Rebecca McWhite (NIST), Laura Calloway (NIST), Dylan Gilbert (NIST), Meghan Anderson (NIST), Julie Snyder (MITRE), Jeremy Miller (MITRE) AnnouncementThe system security plan, system privacy plan, and cybersecurity supply chain risk management plan–collectively referred to as system plans– consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. System plans serve as a centralized point of reference for information about the system and tracking risk management decisions to include data being created, collected, disseminated, used, stored, and disposed; individuals responsible for system risk management efforts; details about the environment of operation, system components, and data flows internally and externally; and controls in planned and in place to manage risk. NIST Special Publication 800-18r2 focuses on the development of system plans that address system-level security, privacy, and CSCRM requirements that may derive from enterprise, organization, and mission/business process requirements. The major changes for this revision include: Supplemental materials include system plan example outlines; updated roles and responsibilities associated with system plan development. The public comment period is open through July 30, 2025. We encourage you to use this comment template and email it to . NOTE: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications. Abstract The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the responsibilities and expected behavior of all individuals who manage, support, and access the system. This publication identifies essential elements of system plans from security, privacy, and cybersecurity supply chain risk management perspectives to promote consistent information collection across the organization, regardless of the system’s mission or business function.
The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the...
The system security plan, system privacy plan, and cybersecurity supply chain risk management plan are collectively referred to as system plans. They describe the purpose of the system, the operational status of the controls selected and allocated for meeting risk management requirements, and the responsibilities and expected behavior of all individuals who manage, support, and access the system. This publication identifies essential elements of system plans from security, privacy, and cybersecurity supply chain risk management perspectives to promote consistent information collection across the organization, regardless of the system’s mission or business function. Keywords authorization boundary; authorizing official; common control authorization; control implementation details; cybersecurity supply chain risk management plan; privacy plan; privacy risk management; risk management framework; security plan; security risk management; authorization to operate; authorization to use; authorizing official designated representative; CASES Act; control implementation; controls; FASCSA; FISMA; ongoing authorization; Privacy Act; privacy plan; supply chain; supply chain risk management; system privacy plan; system security plan; system owner Control Families None selected (责任编辑:) |