Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 2 – Attachment 7 - BSS Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title page or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
2-7-
5.2 Security Control Documentation
Harris will document the security control implementation in the BSS SSP. This will
provide a functional description of the control implementation (including planned inputs,
expected behavior, and expected outputs), using the GSA SSP template. Security
controls are documented in Sections 3-5 of the SSP and are presented per the
requirements in NIST 800-18 R1. For each control the following documentation template
will be used:
Security control name and requirement text with GSA-defined settings
Control type (Enterprise Common, System Common, Hybrid, System Specific,
Inherited, N/A)
Implementation Status (In-Place, Partially In-Place, Planned, N/A)
Asset group applicability
Description of how the security control is implemented
The completed SSP will include the following supporting documentation in appendices:
Rules of Behavior (Appendix B)
BSS Hardware and Software Inventory (Appendix C)
Security Control Tailoring Workbook (Appendix D)
Continuous Monitoring Plan (Appendix E)
Privacy Impact Statement (Appendix F)
Security Assessment Boundary and Scope Document (Appendix G)
GSA Control Summary Table (Appendix H)
Configuration Management Plan (Appendix I)
Includes the BSS System Baseline Configuration Standard Document
Includes the System Configuration Settings documentation
Incident Response Plan (Appendix J)
Includes the Incident Response Test Report
Interconnection Security Agreements (ISA), MOAs and MOUs (Appendix K)
E-Authentication Documentation (Appendix L)
Contingency Plan (Appendix M)