ABSTRACT
How the security planning process works How system categorization in security planning is performed based
on Federal Information Processing Standard (FIPS) How risk management is addressed in security planning What system security plan (SP) responsibilities are How the system SP is approved How the certification and accreditation process works in security
planning How to define SP scope and system boundaries How to conduct SP analysis How to apply scoping guidance How to define compensating controls How to specify common security controls How to apply common security controls How to select justifiable security controls How to maintain ongoing system security How the proposed SP methodology works How to distinguish between a security program and a security plan How to distinguish between a major application and a general sup-
port system How to perform all phases of the SP methodology How to perform system definition
How to perform SP analysis How to perform SP design How to assess system sensitivity How to assess system availability requirements How to recognize when restructuring or process reengineering
becomes necessary in security planning
4.1 Introduction This chapter adapts the work of NIST’s great authors, Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner, and George Rogers, who jointly developed the only extant standard for the formulation of a security plan. This chapter attempts to communicate this standard (or guidelines, the team used in some of the literature) to students, researchers, and professionals in both the public (which is already mandatory in the United States) and the private sector, where it is adopted to gain competitive advantage. This chapter translates this standard into a user-friendly methodology based on a older version of the same standard (NIST SP 800-18) published by Marianne Swanson in NIST publications. From time to time, we reproduce some of the definitions that are better communicated the way they are instead of paraphrasing them [3].
