What is the SSP Mentioned in the CMMC Proposed Rule?

What is the SSP Mentioned in the CMMC Proposed Rule?

If you are a defense contractor working towards compliance with NIST 800-171, you probably have seen the acronym SSP.  What is an SSP? What does SSP even stand for? How does the SSP relate to your upcoming NIST SP 800-171 assessment? Let’s clarify this acronym for you.

SSP stands for System Security Plan (SSP).  A good SSP acts as the blueprint for implementing, monitoring, and improving the security controls for an information system.

In this post, we’ll take an in-depth look at what exactly a System Security Plan is and how it relates to CMMC 2.0.

What is a System Security Plan (SSP)?

A System Security Plan (SSP) is a comprehensive document that outlines the security requirements of a specific IT system for an organization. It describes the implementation of all security controls, along with how they ensure the safety of the system and the information contained within it.

An SSP should document how controls are applied, how they are managed, and any associated policies or procedures. It should include an overview of the information system's security requirements, as well as a robust assessment of risk management activities. Specific details on the system hardware and software, data flows, interconnections with other systems, and any third-party services are also necessary inclusions.

Why is an SSP Important?

First and foremost, developing an SSP is important because for defense contractors handling Controlled Unclassified Information (CUI), it is mandated. The proposed CMMC 2.0 rule notes:

“DoD currently requires covered defense contractors and subcontractors to implement the security protections set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800-171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP). The CMMC Program provides the Department the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and is maintaining that status across the contract period of performance, as required.”

An SSP can also assist in identifying and managing security risks effectively. By conducting a thorough examination of security controls, potential threats, and vulnerabilities, an organization can prioritize its efforts and resources in a way that maximizes its security posture.

What Should Be in Your SSP?

According to NIST SP 800-171r2, your system security plan should include: “the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.”

One of the big takeaways here is that your system security plan must be documented. Creating methodologies to meet NIST controls is one accomplishment, but without documentation it will not help you pass your assessment. The Smithers NIST SP 800-171 assessment checklist can help you with this step.

Creating a system security plan requires a lot of time and effort. This is a good example of where a consultant (not your certified third-party assessor) can help you work through the steps of creating and documenting your compliance plan.

Do you have more questions about NIST SP 800-171 assessments and system security plans? Contact us today. We are happy to help.


Show Policy

New! NIST 800-171 assessment checklist!

Latest Resources

See all resources