SSAA vs. ISP

I've done a few System Security Authorization Agreements (SSAA's) but I
admit I'm doing Information Support Plans, ISPs (formerly C4ISPs) for
the first time.

I used to think that the SSAA was a little bit
too much information. Overtime I've learned that it make total sense.
It forces the Information System designers to answer important questions. Many times the
questions it answers aren't important until much later (such as life
cycle issues).

The ISP's puts the SSAA to shame in its sheer
volume of information that needs to be gathered. This is because it
includes the netcentric aspects of the system, the actual schedule and
money involved, acquisitions issues and a bunch of other things that I,
as a security guy, don't care about.

The ISP is a birds eye view
of the target system where the SSAA is a microscope into all levels of
security over the life of the system from cradle to the grave.

More on Information Assurace, DITSCAP, and DIACAP on infoassure.blogharbor.com

Popularity: 4% [?]