System Security Plan — Lab-RD-Proto-042 (Draft)
Organization: SD Panthers Research Lab
Classification: UNCLASSIFIED — R&D Sandbox

1. INTRODUCTION
1.2 Security Planning (PL-2)
Rules of behavior are maintained by the program office. A signed sample is referenced but not attached to this package.

3. ACCESS CONTROL
3.2 Account Management (AC-2)
The system implements an approval workflow for account creation. Privileged accounts require manager approval.
SSP Section 3.2, Paragraph 4: Account provisioning follows the lab standard operating procedure.

3.4 Access Enforcement (AC-3)
Access enforcement is implemented via role-based access control. A role matrix is referenced in the narrative.
SSP Section 3.4, Paragraph 5: Application roles map to LDAP groups.

4. AUDIT AND ACCOUNTABILITY
4.1 Audit Generation (AU-12)
Audit records are forwarded to the enterprise SIEM. AU-12 is satisfied via centralized logging.
SSP Section 4.1, Paragraph 4: SIEM integration is configured for the application tier.

5. CONFIGURATION MANAGEMENT
5.2 Baseline Configuration (CM-2)
The authorized baseline is documented as baseline v1.2 in this SSP.
Architecture document section 7 cites baseline v1.4 for the database tier.

6. IDENTIFICATION AND AUTHENTICATION
6.3 Authenticator Management (IA-5)
Authenticator management is inherited from the parent organization SSP. Parent controls apply to all lab systems.
SSP Section 6.3, Paragraph 2: Inherited from Enterprise IdP — scope diagram not included.

7. INCIDENT RESPONSE
7.2 Incident Handling (IR-4)
The incident handling plan dated 2019 remains in effect. IR-4 procedures are documented in the IR plan.
SSP Section 7.2, Paragraph 1: Plan location cited; no exercise record attached.

8. SYSTEM AND COMMUNICATIONS PROTECTION
8.4 Cryptographic Protection (SC-13)
The database tier uses FIPS 140 validated cryptographic modules.
SSP Section 8.4, Paragraph 2: Module validation certificates not attached.

9. SYSTEM ARCHITECTURE
The system architecture includes an application tier and database tier. Security boundaries are defined between DMZ and internal zones.
Network diagram included. Control inheritance is documented for shared services.

10. PERSONNEL SECURITY
10.1 Personnel Screening (PS-3)
Personnel screening is inherited from the parent HR system.
SSP Section 10.1, Paragraph 1: Inheritance claim without MOU.

DATABASE TIER NOTE
The database layer hosts PostgreSQL for analytics workloads. Configuration settings for the database tier are described qualitatively; CM-6 is not explicitly documented for this tier.