The system security plan, system privacy plan, and cybersecurity supply chain risk management plan – collectively referred to as system plans– consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems.
System plans serve as a centralized point of reference for information about the system and tracking risk management decisions to include data being created, collected, disseminated, used, stored, and disposed; individuals responsible for system risk management efforts; details about the environment of operation, system components, and data flows internally and externally; and controls in planned and in place to manage risk.
A NIST special publication focuses on the development of system plans that address system-level security, privacy, and CSCRM requirements that may derive from enterprise, organization, and mission/business process requirements.
The major changes for this revision include:
- Expanded guidance to address the development of system plans within the context of the NIST Risk Management Framework, Privacy Framework, and Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
- Insights into the development of a consolidated system plan that encompasses security, privacy, and cybersecurity supply chain risk management plan elements.
- Updated descriptions of system plan elements, with considerations for security, privacy, and cybersecurity supply chain risk management requirements.
- Considerations for automating the development and maintenance of system plans using information management tools, such as governance, risk, and compliance (GRC) applications.
- Supplemental materials include system plan example outlines; updated roles and responsibilities associated with system plan development.