ABSTRACT
The SMP outline in this appendix is based on the SMP framework; both are based on NIST SP 800-53. All tools, templates, and guidelines in support of the organization’s SMP are based on exactly the same framework to provide a common form and flow to all SMP-related documents. A common form and flow promotes comprehensiveness and consistency for all IA efforts. Comprehensiveness is relative to the SMP framework because this framework provides categories and elements to capture all IA relevant to the organization. Consistency comes from addressing all security elements. Addressing a security element is not necessarily the provision of a safeguard. A sufficient manner to address a security element may be to provide a rational explanation as to why the organization chooses not to provide that safeguard; a statement to the affect of “We choose to accept the risk this safeguard would mitigate for the following reasons: expense (purchase and operations), complexity for user base, etc.”
