RA.L3-3.11.4e Security Solution Rationale
Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination.
Source: NIST SP 800-172 3.11.4e
Discussion: System security plans relate security requirements to a set of security controls and solutions. The plans describe how the controls and solutions meet the security requirements. For the enhanced security requirements selected when the APT is a concern, the security plan provides traceability between threat and risk assessments and the risk-based selection of a security solution, including discussion of relevant analyses of alternatives and rationale for key security-relevant architectural and design decisions. This level of detail is important as the threat changes, requiring reassessment of the risk and the basis for previous security decisions. When incorporating external service providers into the system security plan, organizations state the type of service provided (e.g., software as a service, platform as a service), the point and type of connections (including ports and protocols), the nature and type of the information flows to and from the service provider, and the security controls implemented by the service provider. For safety critical systems, organizations document situations for which safety is the primary reason for not implementing a security solution (i.e., the solution is appropriate to address the threat but causes a safety concern). [SP 800-18] provides guidance on the development of system security plans.
Assessment Objectives:
Determine if:
- [a] The system security plan documents or references the security solution selected;
- [b] The system security plan documents or references the rationale for the security solution; and
- [c] The system security plan documents or references the risk determination.
Examine: [SELECT FROM: system security plan; records of security plan reviews and updates; system design documentation; security planning policy; procedures addressing security plan development; procedures addressing security plan reviews and updates; enterprise architecture documentation; enterprise security architecture documentation; system interconnection security agreements and other information exchange agreements; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for information security; organizational personnel responsible for developing, implementing, or approving system interconnection and information exchange agreements; personnel managing the systems to which the Interconnection Security Agreement/Information Exchange Agreement applies; system developers; organizational personnel responsible for security planning and plan implementation; organizational personnel responsible for boundary protection; system developers; system/network administrators].
Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval].
SPRS Score: 1
POA&M Allowed: No