It begins by defining the system’s boundary and the sensitivity of the data it handles.
If the SSP is the plan, the is the audit. The RAR evaluates the effectiveness of the controls listed in the SSP against actual threats. It identifies vulnerabilities, assesses the likelihood of exploitation, and determines the potential impact on the mission. Ssp rar
It establishes the "who, what, and how" of system access, ensuring that technical defenses are supported by organizational policy. The RAR: The Mirror of Reality It begins by defining the system’s boundary and
The RAR is a living document. As new threats emerge, the RAR must be updated to reflect how the system's risk posture has changed. The Synergy of Compliance As new threats emerge, the RAR must be
While they are often grouped together in job descriptions and compliance checklists, they represent two distinct halves of a critical security dialogue: and reality . The SSP: The Blueprint of Intent
The relationship between the SSP and RAR is cyclical. A finding in the RAR often necessitates a change in the SSP—either by implementing a new control or modifying an existing one to mitigate a newly discovered risk.
System Security Plan (SSP) and/or Information Security (IS) Risk ... - CMS
