Guide For Developing
Security Plans For Information Technology Systems
Today’s rapidly changing technical
environment requires federal agencies to adopt a minimum set of management
controls to protect vital information technology (IT) resources. These management
controls are directed at individual IT users in order to reflect the distributed
nature of today’s technology. Technical and operational controls support
management controls. To be effective, all of these controls must interrelate.
The Information Technology Laboratory
(ITL) at the National Institute of Standards and Technology recently published
Special Publication 800-18, Guide
for Developing Security Plans for Information Technology Systems.
Developed by Marianne Swanson and a working group of the Federal Computer
Security Program Managers’ Forum, the publication addresses the development
of security plans that document the management, technical, and operational
controls for federal automated information systems. The publication provides
guidance for individuals responsible for IT security at the system level
and at the organization level. It is written specifically for individuals
with little or no computer security expertise. The document can also be
used as an auditing tool by auditors, managers, and IT security officers.
The concepts presented are generic and can be applied to organizations in
private and public sectors. This ITL Bulletin summarizes the purpose,
responsibilities, format, and development of an effective security plan
(the guide provides detailed information).
The completion of system security plans is a requirement of the Office of
Management and Budget (OMB) Circular A-130, "Management of Federal Information
Resources," Appendix III, "Security of Federal Automated Information Resources,"
updated in 1996, and of Public Law 100-235, "Computer Security Act of 1987."
OMB Circular A-130, Appendix III, does not distinguish between sensitive
and non-sensitive systems. Rather, consistent with the Computer Security
Act of 1987, the Circular recognizes that federal automated information
systems have varied sensitivity and criticality. All federal systems have
some level of sensitivity and require protection as part of good management
practice. OMB Bulletin 90-08, dated July 9, 1990, which provided initial
security planning guidance, is superseded by the issuance of Special Publication
800-18. The generic term "system" is used in the document to mean either
a major application or a general support system.
Major Application or General
Support System Plans
All applications and systems must be covered by system security plans if
they are categorized as a "major application" or "general support system".
Specific security plans for other applications are not required because
the security controls for those applications or systems would be provided
by the general support systems in which they operate. For example, a department-wide
Financial Management System would be a major application requiring its own
security plan. A local program designed to track expenditures against an
office budget might not be considered a major application and would be covered
by a general support system security plan for an office automation system
or a local area network (LAN). Standard commercial off-the-shelf software
(such as word processing software, electronic mail software, utility software,
or other general- purpose software) would not typically be considered a
major application and would be covered by the plans for the general support
system on which they are installed.
Purposes of System Security
- Provide an overview of the
security requirements of the system and describe the controls in place
or planned for meeting those requirements; and
- Delineate responsibilities
and expected behavior of all individuals who access the system.
Security Plan Responsibilities
The system owner is responsible for ensuring that the security plan is prepared
and for implementing the plan and monitoring its effectiveness. Security
plans should reflect input from various individuals with responsibilities
concerning the system, including functional "end users," information owners,
the system administrator, and the system security manager.
Agencies may require contractor
compliance with the guide as a contract requirement. A security plan in
the format specified in the document or in another agreed-upon format is
suggested in those cases where vendors are operating a system under contract
to the federal government. In those instances where a contractor or other
entity (e.g., state or local government) operates a system that supports
a federal function, a security plan is required.
OMB Circular A-130 requires a
summary of the security plan to be incorporated into the strategic IRM plan
required by the Paperwork Reduction Act (44 U.S.C. Chapter 35).
Agencies should develop policy
on the security planning process. Security plans are living documents that
require periodic reviews, modifications, and milestone or completion dates
for planned controls. Procedures should be in place outlining who reviews
the plans and follows up on planned controls. In addition, procedures are
needed describing how security plans will be used in the authorization for
While the format in Special Publication 800-18 is recommended, it is recognized
that some agencies have developed plans using other formats that meet A-130
requirements. The document is intended as guidance only and should not be
construed as the only format allowed. A standardized approach, however,
not only makes the development of the plan easier by providing examples,
but also provides a baseline to review plans. The level of detail included
within the plan should be consistent with the criticality and value of the
system to the organization’s mission (i.e., a more detailed plan is required
for systems critical to the organization’s mission). The security plan should
fully identify and describe the controls currently in place or planned for
the system and should include a list of rules of behavior (see Appendices
A and B of the document).
Once completed, a security plan will contain technical information about
the system, its security requirements, and the controls implemented to provide
protection against its risks and vulnerabilities. Before the plan can be
developed, a determination must be made as to which type of plan is required
for a system. An analysis of the system determines the boundaries of the
system and the type of system.
Defining what constitutes a "system" for the purposes of the guideline requires
an analysis of system boundaries and organizational responsibilities. Constructing
logical boundaries around a set of processes, communications, storage, and
related resources, as defined by the guideline, identifies a system. The
elements within these boundaries constitute a single system requiring a
security plan. Each element of the system must:
- Be under the same
direct management control;
- Have the same
function or mission objective;
- Have essentially the same
operating characteristics and security needs; and
- Reside in the same
general operating environment.
All components of a system need
not be physically connected (e.g., a group of stand-alone personal computers
(PCs) in an office; a group of PCs placed in employees’ homes under defined
telecommuting program rules; a group of portable PCs provided to employees
who require mobile computing capability for their jobs; and a system with
multiple identical configurations that are installed in locations with the
same environmental and physical safeguards).
Multiple Similar Systems
An organization may have systems that differ only in the responsible organization
or the physical environment in which they are located (e.g., air traffic
control systems). In such instances, it is appropriate and recommended to
use plans that are identical except for those areas of difference. This
approach provides consistent levels of protection for similar systems.
The next step is to categorize each system as either a "major application"
or as a "general support system." All applications should be covered by
a security plan. The applications will either be covered individually if
they have been designated as a major application or within the security
plan of a general support system. A system may be designated as a major
application even though it is also supported by a system that has been designated
as a general support system. For example, a LAN may be designated a general
support system and have a security plan. The organization’s accounting system
may be designated as a major application even though the computing and communication
resources of the LAN support it. In this example, the major application
requires additional security requirements due to the sensitivity of the
information the application processes. When a security plan is required
for a major application that is supported by a general support system, coordination
of both plans is required.
All federal applications have value and require some level of protection.
Certain applications, because of the information they contain, process,
or transmit or because of their criticality to the organization’s missions,
require special management oversight. These applications are major applications.
Agencies are expected to exercise
management judgment in determining which of their applications is a major
application and to ensure that the security requirements of non-major applications
are discussed as part of the security plan for the applicable general support
Major applications are systems
that perform clearly defined functions for which there are readily identifiable
security considerations and needs (e.g., an electronic funds transfer system).
A major application might comprise many individual programs and hardware,
software, and telecommunications components. These components can be a single
software application or a combination of hardware/software focused on supporting
a specific mission-related function. A major application may also consist
of multiple individual applications if all are related to a single mission
function (e.g., payroll or personnel). If a system is defined as a major
application and the application is run on another organization's general
- Notify the system owner that
the application is critical or contains sensitive information and
provide specific security requirements;
- Provide a copy of the major
application’s security plan to the operator of the general support system;
- Request a copy of the system
security plan of the general support system and ensure it provides adequate
protection for the application and information; and
- Include a reference to the
general support system security plan, including the unique name/identifier
General Support System
A general support system is interconnected information resources under the
same direct management control that shares common functionality. A general
support system normally includes hardware, software, information, data,
applications, communications, facilities, and people and provides support
for a variety of users and/or applications. A general support system, for
example, can be a:
- LAN including smart terminals
that supports a branch office;
- Backbone (e.g., agency-wide);
- Communications network;
- Departmental data processing
center including its operating system and utilities;
- Tactical radio network; or
- Shared information processing
A major application can run
on a general support system. The general support system plan should reference
the major application plan(s).
Plan Development for All
All security plans, at a minimum, should be marked, handled, and controlled
to the level of sensitivity determined by organizational policy. In addition,
all security plans should be dated for ease of tracking modifications and
approvals. Dating each page of a security plan may be appropriate if updates
are to be made through change pages. Both types of plans must contain general
descriptive information regarding who is responsible for the system, the
purpose of the system, and the sensitivity level of the system.
The plan begins with listing the name and title of the system/application.
Each system/application should be assigned a unique name/identifier. Assigning
a unique identifier to each system helps to ensure that appropriate security
requirements are met based on the unique requirements for the system, and
that allocated resources are appropriately applied. Further, the use of
unique system identifiers is integral to the IT system investment models
and analyses established under the requirements of the Information Technology
Management Reform Act of 1996 (also known as the Clinger-Cohen Act). The
identifier could be a combination of alphabetic and numeric characters and
can be used in combination with the system/application name. The unique
name/identifier should remain the same throughout the life of the system
to allow the organization to track completion of security requirements over
List the federal organizational sub-component responsible for the system.
If a state or local government or contractor performs the function, identify
both the federal and other organization and describe the relationship. Be
specific about the organization and do not abbreviate. Include physical
locations and addresses.
List the name, title, organization, and telephone number of one or more
persons designated to be the point(s) of contact for this system. One of
the contacts given should be identified as the system owner. The designated
persons should have sufficient knowledge of the system to be able to provide
additional information or points of contact, as needed.
Assignment of Security Responsibility
An individual must be assigned responsibility in writing to ensure that
the application or general support system has adequate security. To be effective,
this individual must be knowledgeable of the management, operational, and
technical controls used to protect the system. Include the name, title,
and telephone number of the individual who has been assigned responsibility
for the security of the system.
System Operational Status
Indicate one or more of the following for the system’s operational status.
If more than one status is selected, list which part of the system is covered
under each status.
the system is operating.
- Under development
the system is being designed, developed, or implemented.
- Undergoing a major modification
the system is undergoing a major conversion or transition.
If the system is under development
or undergoing a major modification, provide information about the methods
used to assure that up-front security requirements are included. Include
specific controls in the appropriate sections of the plan depending on where
the system is in the security life cycle.
Present a brief description (one-three paragraphs) of the function and purpose
of the system (e.g., economic indicator, network support for an organization,
business census data analysis, crop-reporting support).
If the system is a general support
system, list all applications supported by the general support system. Specify
if the application is or is not a major application and include unique name/identifiers,
where applicable. Describe each application's function and the information
processed. Include a list of user organizations, whether they are internal
or external to the system owner’s organization, and a general description
of the type of information and processing provided. Request information
from the application owners (and a copy of the security plans for major
applications) to ensure their requirements are met.
Provide a brief (one-three paragraphs) general description of the technical
system. Include any environmental or technical factors that raise special
security concerns, such as:
- The system is connected to
- It is located in a harsh or
- Software is rapidly implemented;
- The software resides on an
open network used by the general public or with overseas access;
- The application is processed
at a facility outside of the organization's control; or
- The general support mainframe
has dial-up lines.
Describe the primary computing
platform(s) used (e.g., mainframe, desk top, LAN or Wide Area Network (WAN).
Include a general description of the principal system components, including
hardware, software, and communications resources. Discuss the type of communications
included (e.g., dedicated circuits, dial circuits, public data/voice networks,
Internet). Describe controls used to protect communication lines in the
appropriate sections of the security plan.
Include any security software
protecting the system and information. Describe in general terms the type
of security protection provided (e.g., access control to the computing platform
and stored files at the operating system level or access to data records
within an application). Include only controls that have been implemented
or are planned, rather than listing the controls that are available in the
software. Controls that are available, but not implemented, provide no protection.
System interconnection is the
direct connection of systems for the purpose of sharing information resources.
System interconnection, if not appropriately protected, may result in a
compromise of all connected systems and the data they store, process, or
transmit. It is important that system operators, information owners, and
management obtain as much information as possible about the vulnerabilities
associated with system interconnection and information sharing and the increased
controls required to mitigate those vulnerabilities. The security plan for
the systems often serves as a mechanism to effect this security information
exchange and allows management to make informed decisions regarding risk
reduction and acceptance.
OMB Circular A-130 requires
that written management authorization (often in the form of a Memorandum
of Understanding or Agreement) be obtained prior to connecting with other
systems and/or sharing sensitive data/information. The written authorization
shall detail the rules of behavior and controls that must be maintained
by the interconnecting systems. A description of the rules for interconnecting
systems and for protecting shared data must be included with this security
In this section, provide the
following information concerning the authorization for the connection
to other systems or the sharing of information:
- List of interconnected
systems (including Internet);
- Unique system identifiers,
- Name of system(s);
- Organization owning the
- Type of interconnection
(TCP/IP, Dial, SNA, etc.);
- Short discussion of major
concerns or considerations in determining interconnection;
- Name and title of authorizing
- Date of authorization;
- System of Record, if applicable
(Privacy Act data);
- Sensitivity level of each
- Interaction among systems;
- Security concerns and Rules
of Behavior (see Appendices A and B of the guide) of the other systems
that need to be considered in the protection of this system.
Sensitivity of Information
This section provides a description of the types of information handled
by the system and an analysis of the criticality of the information. The
sensitivity and criticality of the information stored within, processed
by, or transmitted by a system provides a basis for the value of the system
and is one of the major factors in risk management. The description will
provide information to a variety of users, including:
- Analysts/programmers who
will use it to help design appropriate security controls;
- Internal and external auditors
evaluating system security measures; and
- Managers making decisions
about the reasonableness of security countermeasures.
The nature of the information
sensitivity and criticality must be described in this section. The description
must contain information on applicable laws, regulations, and policies
affecting the system and a general description of sensitivity.
The remainder of the guidance
document details the management, operational, and technical controls,
discussed for both major applications and general support systems. Appendices
include Rules of Behavior, templates for security plans, a glossary, references,
and an index.
For more information
The planning guideline is
available for download in Microsoft Word ‘97 (.doc) and Adobe Acrobat
(.pdf) formats. Paper copies can be ordered from the Government Printing
Office at (202) 512-1800; the order number is SN003-003-03590-4 and the
price is $14.00. Paper copies are also available from the National Technical
Information Service (NTIS) at (703) 605-6000; order number is PB99-105116.