Today's rapidly changing technical environment requires federal agencies to adopt a minimum set of management controls to protect their information technology (IT) resources. These management controls are directed at individual information technology users in order to reflect the distributed nature of today's technology. Technical and operational controls support management controls. To be effective, these controls all must interrelate. This document provides a guideline for federal agencies to follow when developing the security plans that document the management, technical, and operational controls for federal automated information systems. The purpose of this security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.
NIST Special Publication 800-18