CMMC: What Is a System Security Plan (SSP)? 

Creating a System Security Plan (SSP) is an essential step toward achieving CMMC compliance. That’s why in today’s post, we provide a detailed overview of SSPs, from a basic definition to what an SSP template looks like. 

System Security Plan (SSP): A Basic Definition

A System Security Plan (or SSP) is a formal document that provides an overview of the security requirements for a system and describes the security measures for meeting those requirements. 

This type of plan can include both planned measures and measures already in place. However, you must make sure to specify which is the case for each security control. 

An SSP can also contain other sections, such as supporting appendices, as well as other security-related documents such as: 

1. Risk assessment 
2. Privacy impact assessment 
3. System interconnection agreements 
4. Security configurations 
5. Configuration management plan 
6. Incident response plan 
7. Among others 

SSPs and CMMC

The CMMC practice CA.L2-3.12.4, “System Security Plan” requires defense contractors and subcontractors to “Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.” 

Note that this is a CMMC Level 2 practice, which means that you need to fulfill this requirement if you aim to achieve CMMC Level 2 certification or higher.  

During a CMMC assessment, an assessor will use different methods (such as interviews, examinations, and tests) to determine if: 

1. A system security plan is developed. 
2. The system boundary is described and documented in the system security plan. 
3. The system environment of operation is described and documented in the system security plan. 
4. The security requirements identified and approved by the designated authority as non-applicable are identified. 
5. The method of security requirement implementation is described and documented in the system security plan. 
6. The relationship with or connection to other systems is described and documented in the system security plan. 
7. The frequency to update the system security plan is defined. 
8. The system security plan is updated with the defined frequency. 

As you can see, under CMMC, a System Security Plan is not a static document. You are expected to update it regularly to reflect any relevant or important changes.   

What Information To Include in a System Security Plan?

The purpose of a System Security Plan (SSP) is to outline how your organization implements its security requirements. At a minimum, an SSP must include: 

1. Description of the CMMC Assessment Scope: high-level description of the assets within the assessment scope 
2. Description of the Environment of Operation: physical surroundings in which an information system processes, stores, and transmits information. 
3. Identified and Approved Security Requirements: requirements levied on an information system that are derived from applicable laws. 
4. Standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted. 
5. Implementation Method for Security Requirements: description of how the identified and approved security requirements are implemented with the system or environment. 
6. Connections and Relationships to Other Systems and Networks: Description of related, dependent, and interconnected systems 
7. Defined Frequency of Updates: typically, at least annually. 

In addition to the above, a System Security Plan often includes: 

1. System description: technical and functional description 
2. Design philosophies: defense-in-depth strategies and allowed interfaces and network protocols. 
3. Roles and responsibilities: description of the roles and responsibilities of key personnel; this may include the system owner, system custodian, authorizing officials, and other stakeholders. 

Like plans of action, system security plans are key to your information security programs. Your organization can choose to document these two types of plans as separate or combined documents and in any chosen format. 

According to the National Institute of Standards and Technology (NIST), “There is no prescribed format or specified level of detail for system security plans.”  To download the SSP template that NIST provides as a reference, just click here (note that the document will download automatically).  

Need To Achieve CMMC Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts. 

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions. 

Contact our CMMC Registered Practitioners today by clicking here. 

Brea Networks, LLC / CMMCCompliance.us 

451 W. Lambert Rd Suite 214 

Brea, CA 92821 

Tel: (714) 592-0063