Which document is used to document the System Security Plan?

The document that captures how a system’s security requirements are actually put in place is the System Security Plan. This plan is the formal record that explains which security controls have been selected for the system, how those controls are implemented, and how they are managed day-to-day. It describes the system boundary, the roles and responsibilities for security, the environment in which the system operates, and how the controls map to policy and regulatory requirements. It also covers implementation status, any deviations, residual risk, and the plan for continuous monitoring. In federal security practices, the System Security Plan is the primary document used to show that the system meets its security requirements and to support authorization to operate. The other documents serve different purposes and don’t document how security controls are implemented in a system. An Incident Response Plan outlines how to detect, respond to, and recover from security incidents. A Continuity Plan focuses on maintaining or restoring business operations during and after disruptions. A Risk Assessment identifies threats, vulnerabilities, and risks, but it does not detail the specific control implementations within the system or how they are operated on a daily basis.