Planning Plan

Approach basics → §4.x

Locations and roles that anchor the rest of the plan.

SSP authoritative location * Where the SSP is authoritatively maintained (e.g., 'eMASS package PKG-12345', 'GRC tool — Compliance section', '/repo/compliance/ssp.md under version control').

SSP owner role * Role accountable for the SSP (typically System Owner with ISSO support).

Rules of Behavior location * Where the Rules of Behavior are maintained. Often co-located with the access-agreement template (PS-6).

Security / privacy architecture document location * Where the architecture document is maintained (e.g., 'Confluence space ARCH at /docs/CTLS-architecture', '/repo/architecture/security.drawio').

Architecture-governance role Role accountable for architecture changes (e.g., 'Security Architecture Review Board', 'Application Security Lead').

Selected baseline summary * Brief phrase identifying the baseline (e.g., 'NIST SP 800-53 r5 Moderate + privacy overlay', 'FedRAMP Moderate baseline', 'CNSSI 1253 Moderate / Moderate / Moderate').

Tailoring-register location Where tailoring decisions, overlays applied, control supplements / removals are recorded.

SSP Management (PL-2) → §4.x

How the System Security Plan is authored, reviewed, and updated.

SSP scope summary What the SSP covers (system description, boundary, categorization, baseline + tailoring, all 800-53 r5 controls + ODVs, supporting family plans, overlays). Reference NIST SP 800-18 r1.

Review cadence (PL-2 ODV) How often the SSP is reviewed (typical: 'Annual + on significant change per CM-4').

Change-trigger events

Significant change per CM-4 / SA-3 New significant control added or removed Authorization-condition change Categorization-level change (RA-2) New significant external interconnection (CA-3) New significant supply-chain dependency (RA-3(1)) Significant deficiency identified in CA-2 assessment Annual review cycle

Change workflow From change identified → SSP updated → AO reviewed → re-issued. Reference CM-3.

SSP distribution list Roles to whom the SSP is distributed (System Owner, ISSO, ISSM, AO, designated assessors, contracting officer if applicable).

Supporting-plans register Inventory of supporting plans referenced by the SSP (CM, AC, AU, IA, IR, CP, SI, CA, SC, RA, SA, PE, PS, MA, MP, AT, PL, SR, PT, PM as applicable). Where each supporting plan lives.

Rules of Behavior (PL-4) → §4.x

User obligations and acceptable use.

Required topics covered

Acceptable use of system resources Password / credential responsibilities Reporting suspicious activity Removable media handling (cross-reference MP-7) Telework / mobile-device handling (cross-reference PE-17) Personal use of official equipment Social-media restrictions (cross-reference PL-4(1)) External-information-system use (cross-reference AC-20) Privacy / PII handling AI / LLM tool use policy (newer) Sanctions for noncompliance (cross-reference PS-8)

Acknowledgment method — Select — Electronic signature in HRMS / LMS Wet-ink signature on paper form Click-through on system login Annual reaffirmation in awareness training (AT-2) Mixed by personnel category

Renewal cadence (PL-4 ODV) How often RoB is reaffirmed (typical: 'Annually + on significant policy change').

Acknowledgment-record storage Where signed RoB acknowledgments are retained. Often co-located with PS-6 access-agreement records.

Social-media restrictions (PL-4(1)) Per PL-4(1) — restrictions on disclosing system / org information via social media. What may not be disclosed (system identifiers, technical details, project codes, classified or CUI material).

Revisions log Where RoB revisions are logged (version, date, summary of change). Important when reaffirmation is triggered by a change.

Security and Privacy Architecture (PL-8) → §4.x

How architecture is documented and governed.

Architecture documentation scope

Logical / data architecture Physical / deployment architecture Network architecture (boundary, segmentation) Identity architecture Cryptographic architecture Privacy-engineering architecture (PT family overlap) Backup / DR architecture (CP family overlap) Monitoring / telemetry architecture Trust boundaries + threat-model artifacts

Architecture-review cadence How often the architecture document is reviewed for currency. Per NIST SP 800-160 v1 r1.

Threat-model maturity — Select — Per design / per architecture-significant change (STRIDE / PASTA) Initial threat model maintained; updated on major change Lightweight / data-flow-only threat model Threat model not formally maintained (with POA&M)

Engineering-decision integration How the architecture document supports engineering decisions. ADRs cite architecture sections; design reviews reference architecture; change-control routes architecture-affecting changes through SARB.

Privacy-architecture maturity — Select — Privacy architecture fully integrated (NIST IR 8062) Privacy elements documented as part of security architecture Privacy architecture maintained separately under PT family Privacy architecture not yet formalized (with POA&M) Not applicable (no PII)

Baseline Selection (PL-10) → §4.x

Selection of the control baseline per categorization.

Baseline source — Select — NIST SP 800-53B Low / Moderate / High baseline FedRAMP Low / Moderate / High baseline CNSSI 1253 Confidentiality / Integrity / Availability baseline (national-security systems) DoD CC SRG IL2 / IL4 / IL5 baseline Industry baseline (e.g., StateRAMP, agency-specific) Customized baseline (with rationale)

Categorization basis How the categorization that drives the baseline was determined (FIPS 199 high-water mark per RA-2). Reference RA-2 documentation.

Baseline-documentation location Where the as-selected baseline (the list of in-scope controls) is documented.

Overlays applied

Add item

Suggested: + NIST 800-53 r5 Privacy overlay + NIST 800-53 r5 Classified Information overlay + CNSSI 1253 Classified overlay + FedRAMP overlay + Cross-domain solution (CDS) overlay + Industrial control system (ICS) overlay (NIST SP 800-82 r3) + Healthcare / HIPAA overlay (agency-specific) + Tax-information overlay (FTI / IRS Pub 1075)

Baseline Tailoring (PL-11) → §4.x

Decisions to add, remove, supplement, or restrict controls relative to baseline.

Tailoring methodology Approach to tailoring per NIST SP 800-53B § 2.4 / NIST SP 800-37 r2 § 3.3 — applicability, scoping, parameter selection, control supplements, mitigation alternatives.

Tailoring-register fields

Control / enhancement number Tailoring action (Selected / Tailored Out / Supplemented) Rationale (organizational risk-tolerance, system-specific factor, compensating control) Approved-by role and date Linked POA&M (if compensating control) Re-evaluation cadence

Tailoring-approval authority Who approves tailoring decisions. Typically: System Owner approves operational tailoring, AO approves overall baseline tailoring.

Tailoring-review cadence How often the tailoring register is reviewed for continued validity (typical: 'Annual + on significant change').

Planning-Artifact Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Supporting plans referenced Approximate count of supporting plans the SSP references (one per applicable 800-53 family — typically 14-20).

Tailored controls / enhancements Approximate count of controls / enhancements with tailoring decisions documented.

RoB-acknowledger pool size Count of personnel required to acknowledge the RoB.

Architecture document major versions Count of architecture document major versions issued (anchors change-rate metric).

Planning Metrics & KPIs → §6.x

Metrics tracked to demonstrate PL control effectiveness.

Tracked metrics

Add item

Suggested: + SSP review-cycle adherence (% reviews completed on schedule) + Mean time from significant change → SSP updated + RoB acknowledgment-completion rate (current cycle) + Architecture-document currency rate + Tailoring-register decision currency rate + Control-supplement / removal change rate per cycle + Mean time from threat-model change → architecture-doc update + Open POA&M items linked to PL controls

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the PL control implementations are summarized (e.g., 'SSP §13.1 — meta').

POA&M ID prefix for PL findings Convention for PL-related POA&M items (e.g., 'POAM-PL-' for general).

CA handoff How PL-2 SSP feeds CA-2 assessment and CA-6 authorization decisions. Where AO sees the SSP.

RA handoff How RA-2 categorization drives PL-10 baseline selection. Trigger when categorization changes.

CM handoff How architecture / SSP changes route through CM-3 change control. CM-4 significant-change determination.

PS handoff How PL-4 Rules of Behavior pair with PS-6 access agreements. Co-administered or separate?

All-families pointer How each family plan references back to this PL plan (the SSP it documents). Reference the supporting-plans register.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying PL continuous-monitoring metrics to the broader ConMon plan.