I bet nobody ever thought a System Security Plan would end up getting released to the world through a FOIA request.

Comments on the documents:

• The CI-100 DCS-3000 to EDMS System Security Plan is a little odd–why not just make it an interconnect document instead of a full SSP?  It’s just a strange way to manage things in my mind.
• The SSP, even though it’s from 2007, is way “old school”.  It doesn’t follow along the SP 800-53 catalog of controls that is pretty much down to a formula nowadays.  I guess the tech version is that the document has bit rot.
• The SSP details a technique to take a live feed of unclassified data and pump it into a classified system through a one-way serial cable (RS 232, remember what those are?)    =)   At any rate, it should be an interesting technique if you’re not used to dealing with that kind of interconnect.
• The Risk Assessment doesn’t describe what I would want to know, and that’s really the heart of my first comment.  Basically what I have is 2 systems that are connecting to each other, so what I want to know is what are the risks associated with each side and what is the risk of the interconnect itself.  Each side has their own security plan, so that’s why it’s an interconnect instead of a SSP.  But we haven’t addressed the security controls of the connection itself.
• There are some other minor annoyances, like “why are you grading the system on your ability to install ISS System Scanner” but I’ll leave those for you to go discover. =)

Have I jumped completely over the edge?  I think I have. =)

• One Catalog to Rule Them All
• Remembering Accreditation
• Feds to Embrace SaaS, End is Nigh for Security!
• Rebuilding C&A
• An Open Letter to NIST About SP 800-30