Controlled Unclassified Information Page 17
There are multiple platforms in a system identified by the inventory. At minimum each device category has
access controls and likely audit logging, sometimes session lock etc. Platforms may have those controls
configured uniquely for each device type. It is expected that unique implementations would be addressed by
platform for the following controls/control families where applicable: AC, IA, AU, CM, SI-2, SI-3, SI-5, SI-11.
Recommend using a standard format for addressing controls by platform (e.g. have a sub header within the
control part/parts for "Cisco", "Brocade", “Windows”, “Linux”, “Oracle” etc).
Where applicable each facility should be addressed including alternate, backup and operational facilities.
Document References
Policies and procedures as well as supporting documents should be explicitly referenced (Title, date and
version) so it is clear which is active.
If the entire referenced document does not apply, specific sections references should be provided so the
applicable sections can be located easily.
Reviewer should not have to rely solely on following the references to understand the control implementation.
An overview of what the referenced document addresses and direct relevancy to the control requirement
should be provided so the SSP can stand on its own.
You can have a table at the end of the SSP that specifies all referenced documents, their title, date, and
version. Then reference that table when a document is cited. That way you only have to maintain date and
version in one place.
• Repeats or rephrases the control requirement instead of describing how it is addressed in the system
• Uses “boilerplate” text, copied and pasted over and over again
• Contains text not directly relevant to describing how the control is implemented
• Is left blank for example no control implementation description has been written
• Is marked N/A when it is not, or is marked N/A without a risk based justification of why it is considered
N/A
• Inappropriately cites a document or Does not contain details and specifics that demonstrate to a
limited extent that the control is implemented and compliant.
•
Where a document cite is appropriate to indicate some part of implementation, give title, version, date
(and section or page of the document containing the specifics). Does not identify all persons
responsible (by role) for implementing/enforcing the solution to the security control. A role defined for a
control should also be included in the Roles and Privileges table of the SSP.
• Does not describe all possible places where a control is implemented (e.g. Only discusses access for non-
privileged users and excludes privileged users; only discusses access control for some platforms and not
others; only discusses audit logging, maintenance, flaw remediation, configuration management etc for
some platforms and not others; only discusses physical controls at one facility.)
• Where a single control contains multiple requirements, does not address all requirements.
• The wrong Implementation Status is checked
• For example, Is marked Planned but does not identify planned date or where it is marked
Alternative Implementation it does not clearly describe the alternative.
• As general guidance If all or part of the control is an alternative implementation then the status
"Partially Implemented" and "Alternative Implementation" are both checked. If all or part of the
control is planned then the status "Partially Implemented" and "Planned" are both checked. If
selecting a status of Planned, Alternative Implementation, and/or Not Applicable, the aspects of
the control that are Planned, Alternative, and/or Not Applicable should be clearly explained in the
implementation description. If the control is solely a customer responsibility and the CSP has no
responsibility for the implementation of the control, then "Implemented" is checked and the