The organization must communicate subsequent changes to the System Security Plan (SSP) to, at a minimum, the ISSO, ISSM, and SCA.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300597

Associated with: CCI-003061

VVSP-01-000122_rule The organization must communicate subsequent changes to the System Security Plan (SSP) to, at a minimum, the ISSO, ISSM, and SCA.

Vulnerability discussion

SSPs relate security requirements to a set of security controls and control enhancements. SSPs also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. SSPs contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended.SSPs need not be single documents; the plans can be a collection of various documents, including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. Voice Video SSP documents should include the Voice Video access control policy and procedures, Call Detail Record (CDR) policy and procedures, Voice Video configuration management policy and procedures, contingency plans and procedures for the Voice Video systems, and any other plans, policies, and procedures developed for the Voice Video system.Disseminating the SSPs to relevant personnel reduces the risk of individuals putting the Voice Video system at risk, either deliberately or inadvertently. Particular emphasis must be placed on disseminating documentation to individuals responsible for implementation of the policy and procedures, the administrators, and the ISSO and ISSM or their designated representatives. Dissemination techniques may include sending the implementation procedures via email, posting on wiki or in SharePoint repositories, STIG, configuration guides, and other forms of communication.

Check content

Review each Voice Video SSP. Verify that subsequent changes to the organizations SSP for each Voice Video system have been distributed to the ISSO, ISSM, and SCA. Confirm that distribution of subsequent changes to other relevant stakeholders are recorded and distributed. If subsequent changes of the organizations SSP for each Voice Video system have not been distributed to the ISSO, ISSM, and SCA, this is a finding. If distribution of subsequent changes to other relevant stakeholders is not recorded, this is a finding.

Fix text

Distribute subsequent changes of each Voice Video SSP to the ISSO, ISSM, and SCA. Record other relevant stakeholders to whom subsequent changes to each Voice Video SSP are distributed.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer