Prepared By/For

system security plan prepared by, prepared for page image

Prepared By and Prepared For follow the Roles pattern, using the prepared-by and prepared-for roles.

For an SSP:

prepared-by may identify the cloud service provider or a thrid party advisory organization
prepared-for always identifes the cloud service provider

Defined Identifiers Required Role IDs:

prepared-by
prepared-for

Prepared By - CSP or Self‑Prepared

When the SSP is preapred by the CSP the metadata must include:

a roles entry with an id of prepared-by
a parties entry that represents the CSP
a responsible-parties entry with:
- a role-id of prepared-by
- a parties-uuid array with one entry:
  - the uuid value of the CSP entry in the parties array above.

metadata:
  roles:
  - id: prepared-by
    title: Prepared By

  parties:
  - uuid: d865602c-9d3b-49d7-8125-ce3f1ca04231
    type: organization
    name: CSP Name

  responsible-parties:
  - role-id: prepared-by
    party-uuids:
    - d865602c-9d3b-49d7-8125-ce3f1ca04231



##### Prepared By - Third Party

When the SSP is preapred by an advisory firm, the `metadata` must include:
- a `roles` entry with an `id` of `prepared-by`
- a `parties` entry that represents the third party firm
- a `responsible-parties` entry with:
  - a `role-id` of `prepared-by`
  - a `parties-uuid` array with one entry:
    - the `uuid` value of the third party firm's entry in the `parties` array above.


```yaml
metadata:
  roles:
  - id: prepared-by
    title: Prepared By

  parties:
  - uuid: d865602c-9d3b-49d7-8125-ce3f1ca04231
    type: organization
    name: Third Party Firm Name

  responsible-parties:
  - role-id: prepared-by
    party-uuids:
    - d865602c-9d3b-49d7-8125-ce3f1ca04231

Prepared For

The SSP is always prepared for the CSP. The metadata must include:

a roles entry with an id of prepared-for
a parties entry that represents the CSP
a responsible-parties entry with:
- a role-id of prepared-for
- a parties-uuid array with one entry:
  - the uuid value of the CSP entry in the parties array above.

metadata:
  roles:
  - id: prepared-for
    title: Prepared For

  parties:
  - uuid: d865602c-9d3b-49d7-8125-ce3f1ca04231
    type: organization
    name: CSP Name

  responsible-parties:
  - role-id: prepared-for
    party-uuids:
    - d865602c-9d3b-49d7-8125-ce3f1ca04231

To include location, log or other details for a Party, see [link-needed].

SSP Adoption Strategies

Retrofit Adoption Path

New Adoption Path

System Status

Title Page

Prepared By/For

System Security Plan Approvals

1. Introduction

2. Purpose

3. System Information

4. System Owner

5. Assignment of Security Responsibility

6. Leveraged FedRAMP-Authorized Services

7. External Systems and Services Not Having FedRAMP Authorization

8. Illustratred Architecture and Narratives

9. Services, Ports and Protocols

10. Cryptographic Modules Implemented for DAR and DIT

11. Seperation of Duties Matrix

Appendicies Overview

Appendix A: FedRAMP Security Controls

Appendix B: Related Acronyms

Appendix C: Security Policies and Procedures

Appendix D: User Guide

Appendix E: Digital Identity Level (DIL) Determination

Appendix F: Rules of Behavior (RoB)

Appendix G: Information System Contingency Plan (ISCP)

Appendix H: Configuration Management Plan (CMP)

Appendix I: Incident Response Plan (IRP)

Appendix J: CIS and CRM Workbook

Appendix K: FIPS-199 Worksheet

Appendix L: CSO-Specific Required Laws and Regulations

Appendix M: Integrated Inventory Workbook

Appendix N: Continuous Monitoring Plan

Appendix O: POA&M

Appendix P: Supply Chain Risk Management Plan (SCRMP)

Appendix Q: Cryptographic Modules

Inventory Approaches

Inventory: Flat Approach

Inventory: Normalized Approach

Control Response: Approaches

Control Response: Flat Approach

Control Response: Normalized Approach

Control Definitions

Responsible Roles

Parameter Assignments

Implementaiton Status

Control Origination

Control Response Overview

Control Responses

Control Response: Policies and Procedures

Inheritence and Customer Responsibilities

Example

Prepared By/For

Prepared By - CSP or Self‑Prepared

Prepared For