Navigate

CCI-003059

CCI-003059 Definition

Distribute copies of the plans to organization-defined personnel or roles.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed distributes copies of the security plan to, at a minimum, the ISSO, ISSM and SCA via the organization's information sharing portal. DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the security plan via the organization's information sharing portal to ensure the organization being inspected/assessed distributes copies of the security plan to at a minimum, the ISSO, ISSM and SCA via the organization's information sharing portal. DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM and SCA.

Compelling Evidence

1.) Documentation of information sharing portal for the dissemination of changes to the security plan. Latest version of the organization's system security plan (SSP) with all applicable changes is posted to the information sharing portal and available for distribution.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003059.

Control	Description
PL-2	The organization: a: Develops a security plan for the information system that: 1: Is consistent with the organization’s enterprise architecture; 2: Explicitly defines the authorization boundary for the system; 3: Describes the operational context of the information system in terms of missions and business processes; 4: Provides the security categorization of the information system including supporting rationale; 5: Describes the operational environment for the information system and relationships with or connections to other information systems; 6: Provides an overview of the security requirements for the system; 7: Identifies any relevant overlays, if applicable; 8: Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b: Distributes copies of the security plan and communicates subsequent changes to the plan to [organization-defined personnel or roles]; c: Reviews the security plan for the information system [organization-defined frequency]; d: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e: Protects the security plan from unauthorized disclosure and modification.

Control

Description

PL-2

The organization:

a: Develops a security plan for the information system that:
- 1: Is consistent with the organization’s enterprise architecture;
- 2: Explicitly defines the authorization boundary for the system;
- 3: Describes the operational context of the information system in terms of missions and business processes;
- 4: Provides the security categorization of the information system including supporting rationale;
- 5: Describes the operational environment for the information system and relationships with or connections to other information systems;
- 6: Provides an overview of the security requirements for the system;
- 7: Identifies any relevant overlays, if applicable;
- 8: Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
- 9: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

b: Distributes copies of the security plan and communicates subsequent changes to the plan to [organization-defined personnel or roles];

c: Reviews the security plan for the information system [organization-defined frequency];

d: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

e: Protects the security plan from unauthorized disclosure and modification.