Question Description


Our company is an internationally recognized, award winning firm that specializes in rehabilitation and renovation of residential buildings and dwelling. Our company has grown significantly over the years we have our main corporate office in Wilmington, Delaware and three others. One is located Philadelphia and two in Maryland; Baltimore, MD and Owings Mill, MD. We’re also aware that our CISO is utilizing the National Institute Standards and Technology (NIST) guidance document as a framework to implement Red Clay Renovations Information Security program. When it comes to protecting the company’s sensitive data it would be best to implement separate System Security Plans (SSP) for each office location.

Let’s look at what an SSP is. A System Security Plan (SSP) documents the controls that have been selected to mitigate the risk of a system. The controls are determined by the Risk Analysis and the FIPS 199. For Federal systems (which include all systems that are funded by Federal money) NIST SP 800-53 provides a catalog of controls with templates according to the FIPS 199 Low, Moderate or High category. The SSP lists important information about the system including the system owner, name of the system, and list of security controls selected for the system. Each control listing includes an enough description which would allow the system owner or an auditor to verify the effectiveness of that control (“What is a System Security Plan?”, 2019).

An overall risk analysis has been determined by the CISO which is required by law. This analysis has determined the company is in the moderate category as defined in the FIPS199/200 standards and NIST SP 800-53 Revision 4. This mean that if their any form of data breach to the company’s infrastructure it could have severe effects or on operations, assets, and people. Each security control at each location is not all cookie cutter so each site would require a different System Security Plan.

The different Red Clay Renovation office don’t have the same IT systems, process the same information, the same amount of personnel, or is subject to the same insider threats or natural disasters. All these factors need to be considered when implementation a System Security Plan. Another thing to remember when these changes are made it’s required that each location make sure these are updated annually and submitted to the CISO for review and approval (NIST 800-18r1, 2019) This would be a game changer overall for us to effectively implement plans to protect our company moving forward.

What is a System Security Plan?. (2019). Retrieved from

(2019). Retrieved from…