[Verse 1] Start with system description clear and bright Document the purpose, scope, and operational sight Draw the boundary diagram, show what's in and out Authorization limits that you can't live without [Chorus] S-S-P, System Security Plan Structure, Boundary, Controls - that's the master plan Specific, Measurable, Referenced and true Living document flowing through and through S-S-P, keep it up to date OSCAL makes it machine-readable, don't hesitate [Verse 2] Control implementations need specific detail Not just "we comply" - that story will fail Reference configurations, procedures you use Assessors need evidence they can't refuse [Chorus] S-S-P, System Security Plan Structure, Boundary, Controls - that's the master plan Specific, Measurable, Referenced and true Living document flowing through and through S-S-P, keep it up to date OSCAL makes it machine-readable, don't hesitate [Verse 3] Leveraged from common, inherited and shared Hybrid splits the duty, responsibility paired System-specific controls you implement alone Three types of controls in every security zone [Bridge] Throughout the lifecycle, keep it alive Update as you build, maintain, and strive OSCAL format makes automation sing Machine-readable plans are the powerful thing [Chorus] S-S-P, System Security Plan Structure, Boundary, Controls - that's the master plan Specific, Measurable, Referenced and true Living document flowing through and through S-S-P, keep it up to date OSCAL makes it machine-readable, don't hesitate [Outro] From system description to control detail Living SSP will help you prevail
← 6 Container Supply Chain Security | 2 Authorization Boundary Definition →