WIXLIB

FEDRAMP SYSTEMSECURITY PLAN (SSP)HIGH BASELINETEMPLATETeam 1-Ivy, Jacqueline, Raymond, YoungHope Health Care Information SystemVersion 12020.3.7CONTROLLED UNCLASSIFIED INFORMATION

FEDRAMP SYSTEM SECURITY PLAN (SSP) HIGH BASELINE TEMPLATECSP Name Information System NameVersion #.#, DateInstruction: This template contains a number of features to facilitate data entry. As you go through thetemplate entering data, you will see prompts for you to enter different types of data.Repeatable FieldSome multiple-occurring data fields have been linked together and you need only enter the data once.Enter the data once; then click outside the data entry field and all occurrences of that field will bepopulated. For example, when you see “Information System Abbreviation” and replace it with yoursystem abbreviation, all instances of the abbreviation throughout the document will be replaced with thevalue you entered. This document contains the following repeatable fields:CSP NameInformation System NameVersion NumberVersion DateInformation System AbbreviationIf you find a data field from the above list that has not populated, then press the F9 key to refresh thedata. If you make a change to one of the above data fields, you may also have to press the F9 key torefresh the data throughout the document. Remember to save the document after refreshes. The oneexception to the repeatable fields is information system names for FedRAMP or leveraged authorizationsthat are identified as “Leveraged information system name:Date SelectionData fields that must contain a date will present a date selection menu.Item ChoiceData fields that have a limited number of value choices will present a selection list.Number EntryData fields that must have numeric values display “number.”Text EntryMany data fields, particularly in tables, that can contain any text display “Enter text” or “Click here toenter text.”Delete this instruction from your final version of this document. iControlled Unclassified Information

FEDRAMP SYSTEM SECURITY PLAN (SSP) HIGH BASELINE TEMPLATECSP Name Information System NameVersion #.#, DateSYSTEM SECURITY PLANPrepared byIdentification of Organization that Prepared this DocumentOrganization NameStreet AddressSuite/Room/BuildingCity, State Zip Enter Company/Organization . Enter Street Address Enter Suite/Room/Building Enter Zip Code Prepared forIdentification of Cloud Service ProviderOrganization NameStreet AddressSuite/Room/BuildingCity, State Zip Enter Company/Organization . Enter Street Address Enter Suite/Room/Building Enter Zip Code TEMPLATE REVISION HISTORYDateDescription6/20/2016Original publication10/21/2016Removed tables in Sec 15.12 FedRAMP Laws and RegulationsRemoved revision history tables in all of Sec 15Removed Acronyms - see FedRAMP Master Acronyms and Glossary resource documentAdded PTA to Sec 15.4 PTA and PIAAdded E-Authentication to Sec 15.3Added FIPs to Sec 15.10 FIPS 199Changed Inventory instruction and guidance Section 10 and Attachment 13Removed chapter numbers from AttachmentsRemoved 3 questions from Sec 2.3 E-Authentication Determination6/6/2017Updated logo8/28/2018Revised controls for language consistency, updated section 2.3 and Attachment 3, added guidanceto SA -9, updated requirements in RA-5 iiControlled Unclassified Information

FEDRAMP SYSTEM SECURITY PLAN (SSP) HIGH BASELINE TEMPLATECSP Name Information System NameVersion #.#, DateDOCUMENT REVISION HISTORYDateDescriptionVersionAuthor3/4/2020First vision1Team 1 Date Revision Description Version Author Date Revision Description Version Author How to contact usFor questions about FedRAMP, or for technical questions about this document including how to use it,contact info@FedRAMP.govFor more information about the FedRAMP project, see www.FedRAMP.govInstruction: The System Security Plan is the main document in which the Cloud Service Provider (CSP)describes all the security controls in use on the information system and their implementation.This document is released in template format. Once populated with content, this document will includedetailed information about service provider information security controls.This document is intended to be used by service providers who are applying for a Joint AuthorizationBoard (JAB) Provisional Authorization to Operate (P-ATO) or an Agency Authorization to Operate (ATO)through the Federal Risk and Authorization Management Program (FedRAMP).In the sections that follow, describe the information security control as it is implemented on the system.All controls originate from a system or from a business process. It is important to describe where thecontrol originates from so that it is clear whose responsibility it is to implement, manage and monitor thecontrol. In some cases, the responsibility is shared by a CSP and by the customer. Use the definitions inthe table that follows to indicate where each security control originates from.Note that “-1” Controls (AC-1, AU-1, SC-1, etc.)* cannot be inherited and must be described in some wayby the service provider.*Access Control (AC), Audit and Accountability (AU), System and Communications Protection (SC)Throughout this SSP, policies and procedures must be explicitly referenced (title and date or version) sothat it is clear which document is being referred to. Section numbers or similar mechanisms should allowthe reviewer to easily find the reference.For System as a Service (SaaS) and Platform as a Service (PaaS) systems that are inheriting controls froman Infrastructure as a Service (IaaS) (or anything lower in the stack), the “inherited” check box must bechecked and the implementation description must simply say “inherited.” FedRAMP reviewers willdetermine whether the control-set is appropriate or not. iiiControlled Unclassified Information

FEDRAMP SYSTEM SECURITY PLAN (SSP) HIGH BASELINE TEMPLATECSP Name Information System NameVersion #.#, DateIn Section 13, the National Institute of Standards and Technology (NIST) term "organization defined"must be interpreted as being the CSP's responsibility unless otherwise indicated. In some cases, the JABhas chosen to define or provide parameters, in others they have left the decision up to the CSP.Delete this instruction from your final version of this document. ivControlled Unclassified Information

FEDRAMP SYSTEM SECURITY PLAN (SSP) HIGH BASELINE TEMPLATECSP Name Information System NameVersion #.#, DateTABLE OF CONTENTS1.INFORMATION SYSTEM NAME/TITLE. 12.INFORMATION SYSTEM CATEGORIZATION. 12.1.Information Types. 12.2.Security Objectives Categorization (FIPS 199). 32.3.Digital Identity Determination.33.INFORMATION SYSTEM OWNER. 34.AUTHORIZING OFFICIALS. 45.OTHER DESIGNATED CONTACTS.46.ASSIGNMENT OF SECURITY RESPONSIBILITY.57.INFORMATION SYSTEM OPERATIONAL STATUS. 68.INFORMATION SYSTEM TYPE. 68.1.Cloud Service Models. 68.2.Cloud Deployment Models. 78.3.Leveraged Authorizations. 89.GENERAL SYSTEM DESCRIPTION. 89.1.System Function or Purpose. 89.2.Information System Components and Boundaries.99.3.Types of Users.99.4.Network Architecture.1110. SYSTEM ENVIRONMENT AND INVENTORY. 1210.1.Data Flow. 1210.2.Ports, Protocols and Services.1511. SYSTEM INTERCONNECTIONS.1612. LAWS, REGULATIONS, STANDARDS AND GUIDANCE.1712.1.Applicable Laws and Regulations. 1712.2.Applicable Standards and Guidance.1713. MINIMUM SECURITY CONTROLS. 1813.1.Access Control (AC).24AC-1 Access Control Policy and Procedures Requirements (H). 24AC-2 Account Management (H).25AC-2 (1) Control Enhancement (M) (H). 27AC-2 (2) Control Enhancement (H). 28AC-2 (3) Control Enhancement (H). 28AC-2 (4) Control Enhancement (H). 29AC-2 (5) Control Enhancement (H). 30AC-2 (7) Control Enhancement (H). 31AC-2 (9) Control Enhancement (H). 32AC-2 (10) Control Enhancement (M) (H). 32AC-2 (11) Control Enhancement (H). 33AC-2 (12) Control Enhancement (H). 33 vControlled Unclassified Information

FEDRAMP SYSTEM SECURITY PLAN (SSP) HIGH BASELINE TEMPLATECSP Name Information System NameVersion #.#, DateAC-2 (13) Control Enhancement (H). 34AC-3 Access Enforcement (L) (M) (H). 34AC-4 Information Flow Enforcement (M) (H).35AC-4 (8) Control Enhancement (H). 36AC-4 (21) Control Enhancement (M) (H). 36AC-5 Separation of Duties (M) (H). 37AC-6 Least Privilege (M) (H).37AC-6 (1) Control Enhancement (H). 37AC-6 (2) Control Enhancement (M) (H). 38AC-6 (3) Control Enhancement (H). 39AC 6 (5) Control Enhancement (M) (H).40AC-6 (7) Control Enhancement (H). 40AC-6 (8) Control Enhancement (H). 41AC-6 (9) Control Enhancement (M) (H). 42AC-6 (10) Control Enhancement (M) (H). 43AC-7 Unsuccessful Login Attempts (H). 44AC-7 (2) Control Enhancement (H). 45AC-8 System Use Notification (L) (M) (H). 45AC-10 Concurrent Session Control (M) (H).48AC-11 Session Lock (M) (H).49AC-11 (1) Control Enhancement (M) (H). 50AC-12 Session Termination (M) (H). 50AC-12 (1) Control Enhancement (H). 51AC-14 Permitted Actions without Identification or Authentication (L) (M) (H). 52AC-17 Remote Access (L) (M) (H).53AC-17 (1) Control Enhancement (M) (H). 54AC-17 (2) Control Enhancement (M) (H). 54AC-17 (3) Control Enhancement (M) (H). 55AC-17 (4) Control Enhancement (M) (H). 56AC-17 (9) Control Enhancement (M) (H). 57AC-18 Wireless Access Restrictions (L) (M) (H). 57AC-18 (1) Control Enhancement (M) (H). 58AC-18 (3) Control Enhancement (H). 59AC-18 (4) Control Enhancement (H). 60AC-18 (5) Control Enhancement (H). 60AC-19 Access Control for Portable and Mobile Systems (L) (M) (H).61AC-19 (5) Control Enhancement (M) (H). 62AC-20 Use of External Information Systems (L) (M) (H).63AC-20 (1) Control Enhancement (M) (H). 63AC-20 (2) Control Enhancement (M) (H). 64AC-21 Information Sharing (M) (H).65AC-22 Publicly Accessible Content (L) (M) (H).6613.2.Awareness and Training (AT). 66AT-1 Security Awareness and Training Policy and Procedures (H). 66AT-2 Security Awareness (L) (M) (H).67AT-2 (2) Control Enhancement (M) (H). 68AT-3 Role-Based Security Training (L) (M) (H).69AT-3 (3) Control Enhancement (H). 70 viControlled Unclassified Information