What is required before developing a System Security Plan (SSP)?

Prepare for the FISMA Interview Test. Get familiar with key topics and enhance your knowledge with flashcards and multiple-choice questions. Study effectively and be ready for your exam!

Multiple Choice

What is required before developing a System Security Plan (SSP)?

Explanation:
Determining how the system is categorized and which security controls will be used is the essential first step before writing an SSP. In the risk management framework, you start by categorizing the system (using the specified criteria to assign impact levels for confidentiality, integrity, and availability). That categorization then guides which baseline controls you select from the control catalog. With those controls chosen, you document in the System Security Plan exactly how each control is implemented, who is responsible, and how it will be assessed and maintained. Without this upfront categorization and control selection, the SSP would lack a defined scope and the appropriate security controls to describe, making it incomplete or inaccurate. Actions like rebooting the system or conducting routine external audits come later in the lifecycle (assessment/authorization) and aren’t prerequisites for developing the SSP. And claiming that no planning is needed contradicts the need to establish the security controls and their implementation before documenting them.

Determining how the system is categorized and which security controls will be used is the essential first step before writing an SSP. In the risk management framework, you start by categorizing the system (using the specified criteria to assign impact levels for confidentiality, integrity, and availability). That categorization then guides which baseline controls you select from the control catalog. With those controls chosen, you document in the System Security Plan exactly how each control is implemented, who is responsible, and how it will be assessed and maintained.

Without this upfront categorization and control selection, the SSP would lack a defined scope and the appropriate security controls to describe, making it incomplete or inaccurate. Actions like rebooting the system or conducting routine external audits come later in the lifecycle (assessment/authorization) and aren’t prerequisites for developing the SSP. And claiming that no planning is needed contradicts the need to establish the security controls and their implementation before documenting them.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy