Let’s talk about your Environment
The Environment Menu contains three sections. Each section should be populated with accurate information. This information is specifically required by NIST 800-171 and will be included in the System Security Plan.
The Environment Menu dropdown allows you to access Environment Details, Environment Interconnections and Environment Contacts.
Details
The Environment Details view allows you to modify the environment and organization names. You may also specify an Environment Identifier if the environment goes by a shorter name or acronym. Click directly on the text to edit these fields. Click the checkbox followed by Update to save your changes. This section also allows you to describe the environment’s Operational Status.
Describe the environment in the Environment Description field. Be as descriptive as necessary to adequately convey the purpose of the environment, why it exists, the type of data it processes and any other significant details.
The System Boundary field should contain specifics regarding the environment components and how it is separated from other networks. For example, if you’re assessing a production network, describe the computers and servers that exist within the environment. Include information about the network infrastructure. Then provide information describing how the network is segmented off from any other networks (or systems). Do you have a corporate network in the same office? What prevents information from the production environment from spilling into the corporate network? A contracting officer reading this should get the sense that you have sufficiently described the number and type of computer systems in the environment, as well as the means by which you segment off this network.
Interconnections
The Environment Interconnections view allows you to enumerate any networks connected to your environment. Typical interconnections include office/corporate networks, wide area networks, and vendor extranets. Each distinct network/interconnection should be fully documented. Click Add to enter information for each interconnection.
Click Save to record the Interconnection details. The view now includes a list of each Interconnection.
Adding Personnel
The Environment Personnel view allows you to record all personnel associated with your environment. Appropriate personnel includes a system owner, program manager and technical contacts. Click Add to enter information for each contact.
Assigning Personnel
In the Options dialog box, you have the option to enable assignment of requirements to individuals or pre-defined roles. By default, requirements are not configured to accept assignment of personnel. These options allow you to enable assignment of requirements to individuals or pre-defined roles.
If enabled, you also have the option to assign requirements to personnel by their pre-defined roles. The image below shows which roles are available. To assign a user to a role, first, confirm they have been added to the Personnel dialog box. Then, click on “Unassigned” in the row of the role that you’d like to add that user to. A dialog box of all available personnel will appear. Select the user and click the blue checkmark to the right.
If you choose to Assign Requirements One-by-One, you will need to go into each requirement and specify which personnel are responsible for completing said requirement. We’ll use a control as an example here. When a specific control is opened, the first thing a user sees is the details of the control. Directly below is the section titled “Compliance”. Above all of the text boxes and on the far right side of this section, there is an area where a user may assign a different user with allowed access on the account to fill out the “Compliance” Section. As previously mentioned, simply click the drop-down box next to “Assigned To”, select which registered user you’d like to assign the control to, and then select the blue check mark next the new name to confirm.
Any changes made to assigned personnel will be logged in the final SSP. Each individual control or POA&M will say who was responsible for completing that specific requirement regardless of whether they were assigned one-by-one or by families.