OP
Approvedv4.1-approvedssp-payments-pci

Cardholder data environment · Payments cell

System boundary: CDE segmentation · tokenization bridge

Owner · Enterprise Risk · Updated Mar 22, 2026, 9:00 AM

SSP completeness

Section-level readiness against publication gate — illustrative weighting.

Portfolio average

65%

  • Exec summary90%
  • Site85%
  • Assets72%
  • Threats68%
  • Controls80%
  • Incidents65%
  • Recovery55%
  • Vendors60%
  • Compliance70%
  • Evidence45%
  • Review30%

Governance linkages

Assessments and playbooks referenced for site readiness posture and response choreography.

Linked assessment

RA-2025-011

Payments Processing Cell — readiness assessment

Complete
Updated Apr 28, 2026Tier · Moderate
Open in assessments →

Linked assessment

RA-2025-009

Regional distribution center — physical readiness baseline

Draft
Updated Apr 19, 2026Tier pending
Open in assessments →

Linked playbook

pb-ops-disruption-bridge

Operations disruption response bridge

Campus-level continuity event

Ready
Open playbooks workspace →

Linked playbook

pb-vendor-continuity

Critical vendor continuity disruption

Tier-1 facilities services vendor

Exercise
Open playbooks workspace →

Stakeholder-facing posture statement and scope boundaries.

Executive Summary

Section readiness90%Scaffold

Stakeholder-facing posture statement and scope boundaries. Narrative drafting, structured fields, and diagram slots populate this segment once authoring services connect.

Evidence locker

Evidence locker · Exec summary

Placeholder binders

Drag-and-drop staging, CMDB references, and reviewer comments surface here.

Facility footprint, mission alignment, and organizational context.

Site Overview

Section readiness85%Scaffold

Facility footprint, mission alignment, and organizational context. Narrative drafting, structured fields, and diagram slots populate this segment once authoring services connect.

Evidence locker

Evidence locker · Site

Placeholder binders

Drag-and-drop staging, CMDB references, and reviewer comments surface here.

Mission-critical spaces, services, and dependency registry for the site.

Critical Assets

Section readiness72%Scaffold

Mission-critical spaces, services, and dependency registry for the site. Narrative drafting, structured fields, and diagram slots populate this segment once authoring services connect.

Evidence locker

Evidence pointers · Assets

Placeholder binders
  • ev-022 · Critical asset inventory extract

Operational and physical risk themes, regional context, and site-relevant historical signals.

Threat Landscape

Section readiness68%Scaffold

Operational and physical risk themes, regional context, and site-relevant historical signals. Narrative drafting, structured fields, and diagram slots populate this segment once authoring services connect.

Evidence locker

Evidence locker · Threats

Placeholder binders

Drag-and-drop staging, CMDB references, and reviewer comments surface here.

Preventive, detective, and corrective measures mapped to architecture.

Security Controls

Section readiness80%Scaffold

Control narratives synchronize with the mapping matrix below; inheritance from shared services is flagged when catalog wiring lands.

Control mapping matrix

Obligation traceability — authoritative frameworks attach via catalog integration.

ControlCoverage
PL-02
Perimeter & lobby monitoring program
NIST SP 800-171 · 3.1.12
Partial
AC-03
Physical access provisioning & badging
FedRAMP Moderate · AC-3
Full
IR-04
Incident assessment & declaration criteria
ISO 27001:2022 · A.5.26
Planned
CP-10
Alternate processing for continuity
HIPAA · §164.308(a)(7)
Gap

Escalation paths and coordination loops with security, facilities, and crisis partners.

Incident Procedures

Section readiness65%Scaffold

Cross-links to operational playbooks tighten escalation handoffs and regulator notifications; tabletop attestations attach as evidence.

Linked playbook

pb-ops-disruption-bridge

Operations disruption response bridge

Campus-level continuity event

Ready
Open playbooks workspace →

Linked playbook

pb-vendor-continuity

Critical vendor continuity disruption

Tier-1 facilities services vendor

Exercise
Open playbooks workspace →

Continuity, restoration priorities, and alternate processing paths.

Recovery Procedures

Section readiness55%Scaffold

Continuity, restoration priorities, and alternate processing paths. Narrative drafting, structured fields, and diagram slots populate this segment once authoring services connect.

Evidence locker

Evidence locker · Recovery

Placeholder binders

Drag-and-drop staging, CMDB references, and reviewer comments surface here.

Third-party concentration, assurance artifacts, and exit strategies.

Vendor Dependencies

Section readiness60%Scaffold

Third-party concentration, assurance artifacts, and exit strategies. Narrative drafting, structured fields, and diagram slots populate this segment once authoring services connect.

Evidence locker

Evidence locker · Vendors

Placeholder binders

Drag-and-drop staging, CMDB references, and reviewer comments surface here.

Framework obligations traceable to controls and evidence artifacts.

Compliance Mapping

Section readiness70%Scaffold

Obligation coverage aggregates across frameworks; downstream reconcilers resolve conflicts when authoritative catalogs attach.

Evidence locker

Framework delta inbox

Placeholder binders

Import NIST 800-53 rev deltas, CIS benchmarks, or contractual exhibit mappings — ingestion pipeline stubbed.

Attestable artifacts, retention posture, and auditor retrieval hooks.

Evidence Attachments

Section readiness45%Scaffold

Evidence locker

Artifacts staged for auditor retrieval

Checksum lineage, classification labels, and reviewer attestations render once repositories connect.

Placeholder binders

  • Campus perimeter diagram — Rev K

    ev-001

    DiagramMay 1, 2026

  • Annual physical security assessment summary

    ev-014

    AttestationApr 12, 2026

  • Critical asset inventory extract

    ev-022

    PolicyApr 30, 2026
Retention policy hooks · controlled unclassified information (CUI) gates — placeholder.

Reviewer lineage, sign-off packets, and publication gates.

Review & Approval

Section readiness30%Scaffold

Review workflow

Governance checkpoints — routing rules attach when workflow engine lands.

  1. Intake4/1/2026, 12:00:00 PM

    Scope charter accepted

    Compliance program office

    Boundary narrative locked for authoring sprint.

  2. Authoring4/18/2026, 4:45:00 PM

    Controls narrative drafted

    Platform Security

  3. Peer review5/2/2026, 9:10:00 AM

    Peer review cycle opened

    Security Architecture

    Awaiting evidence reconciliation on IR-04 linkage.

Evidence locker

Approver roster & routing rules

Placeholder binders

Digital signatures, segregation-of-duty matrices, and publishing gates configure here.

Executive sign-off packet · preview locked (mock)
← SSP portfolio

Workspace shell — persistence, collaborative cursors, and version branching ship with backend integration.