Introduction

The System Security Plan is probably the most important document you will prepare for your C&A Package. If the evaluation team is pressed for time (which sometimes happens) and elects to scrutinize only one document in your entire C&A package, skimming through the others, it is likely that that the one document they will sift through with a fine-toothed comb will be the System Security Plan. Some federal agencies use a System Security Authorization Agreement ( SSAA) in lieu of a System Security Plan. The SSAA historically has been used by agencies that make use of the DITSCAP C&A methodology.

The System Security Plan sums up the security requirements, architecture, and control mechanisms in one document. In the System Security Plan, you should also list pointers to the related C&A documents that are part of the same C&A package in your System Security Plan. For example, you can say, Contingency Planning is described in the < System Name> Contingency Plan, Revision 3, April 7, 2006. Though you don t want to rewrite the other C&A documents in the System Security Plan, you will want to restate certain pieces of key information contained in other documents. For example, it is worth restating the C&A Level at which the C&A package is going to be submitted the level that you calculated using the...