Tips: Meeting DSRIP Requirements (System Security Plans – Documenting Controls)

As part of DOH’s Data Exchange Application and Agreement (DEAA) data sharing agreements, business partners who desire access to DOH provided Medicaid data are required to compete System Security Plans (SSPs) that document which controls have been implemented and how for all systems that are used to house and process the DOH provided Medicaid Data.

The NYS DOH SSP requirement is based on the set of NIST 800-53 recommended security controls for government information systems at the moderate level with enhancements that are necessary to comply with NYS Policies and Standards (aka Moderate Plus).

One of the most important and difficult to grasp aspects of completing an SSP is how to properly write a Security Control.

There are four basic questions to address for each element of each security control requirement:

  1. What is the solution? The solution can be a device, document, process, or plan. It must be clearly stated as the object that governs the implementation of the security control at hand.
  2. Who is responsible? Although the Security Officer may be responsible for the oversight of system security measures, a system-specific role will need to be identified as the manager, operator, or implementer of control-relevant security measures.
  3. When is the solution implemented/reassessed? Control solutions may be initiated once and continually monitored or they may require continual implementation (as is the case with revisions or updates) or a combination of the two. The timing of the solution implementation should be addressed for each requirement.
  4. How does the solution satisfy the control or requirement? The solution being discussed must be directly correlated to the presented requirements. It must be clear how the system uses the discussed solution to satisfy the security requirements. Although the same solution may satisfy multiple requirements, it will be required to state how the solution provides the capabilities to satisfy each requirement.

A few other tips when determining control requirements:

“The organization” Indicates a policy, process, or procedure
“The information system” Indicates a technical implementation
“The organization ensures/enforces/etc.” Indicates both policy/process/procedure and technical implementation
Access: remote, local, network Remote: Off-site
Local: Physically present, keyboard/terminal attached
Network: On-site and over a network (e.g. SSH)
External v. Internal systems/connections/etc. External systems are not under the jurisdiction of the Organization. Other systems may be external, but are governed by an MOU/MOA/ISA.


Aspiryon provides DSRIP assessments and consulting for PPS entities and partner service provider organizations.