How to Get Started on Your SSP and POA&M

As your organization works toward achieving CMMC compliance, creating your System Security Plan (SSP) and Plan of Action and Milestones (POA&M), are critical steps in the process. The documents both provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

Find the right SSP for your organization

Your SSP will outline how your organization approaches cybersecurity. It is your opportunity to narrate your security controls including discussing your environment and how you meet the intent of your controls. Before you begin drafting your plan, you need to determine which approach to take. Select one of the below to get started.

Organizational plan – Sometimes called an enterprise system security plan, these plans represent a system security approach across an organization defining a standard cross-organization adoption of control requirements. Organizational plans work well for less complex organizations where all technology can be represented in a single document.
System focused plan – This approach concentrates on security through the lens of a particular system, IT service, or enclave, and fully documents control implementation details from the perspective of a specific system only.
Hybrid plan – This plan is between an organizational system security plan and a single system or enclave system security plan. It takes the idea of standardization from the organizational plan, but documents your deviations from your overarching standard in addendums or appendices.
Shared compliance – This is a type of hybrid plan that documents the accountability of control implementation that lies with a service provider. The organization should ensure, contractually or through verification, that inherited controls are in place at the service provider and that they are applicable to the systems and/or services in scope for system security planning.

SSP document structure

Regardless of the type of plan you proceed with, here is guidance on how to structure your SSP. Include the following report elements.

System information – In this section it is important to include ownership and accountability for each system you are documenting, as well as a systems environment description, data flows and interconnections, users and roles, and hardware and software components.
Control narratives – For each control, note the status, which should be compliant, partially compliant, not compliant, not applicable, or inherited, and provide a narrative about the status. Also include discourse on the control implementation. This is your opportunity to discuss a control requirement. For every control where you are partially compliant or not compliant, provide a summary of planned actions to get you to compliance and direct readers to your POA&M.
Other considerations – There are other types of information that can be helpful to include in your SSP including:
- Diagrams and visual representations to illustrate what your system is and how it works.
- Assessment guide and supplemental guidance to assist your narratives and show what you need to achieve and how you will meet your objectives.
- Expected or maintained evidence and artifacts to demonstrate how you will or are implementing the controls.
- Maturity references including policies, practices, and plans to tie the pieces together and make it easier for a certifier to track down those pieces of evidence that confirm your controls are not newly implemented.
- CUI authorizations to show the flow of CUI in your environment. This should talk to where CUI should exist, where it is stored, how it should be accessed, and how it flows.

Take the steps to compliance with a POA&M

A POA&M is a corrective action tracking mechanism. Here are the key components to have as you develop your own POA&M to assist with your CMMC compliance efforts.

Corrective actions list in the form of actionable tasks – What are the actions that you need to take to implement each control?
Milestones and timeline to achieve compliance – When do you plan to have each action completed? Include interim completion dates.
Ownership and resourcing of tasks – Who is responsible for managing and completing each action?
Prioritization – What is the compliance impact, estimated cost, and risk of each?
Weaknesses or deficiency – How was the weakness that requires this action identified?
Control mapping – Which control does this action correspond to and address?
Status – What is the status? Is this action ongoing or completed?

POA&M process and workflow tips

Start with a template and your assessment data as input. Select your template and aggregate all the information you uncovered in your internal assessment, external assessment, or audit. These will be your two inputs to leverage in building your plan of action and milestones.

Convert assessment recommendations to actionable tasks. Sometimes assessment-speak is at a high level. Make sure you are breaking down each requirement into steps that make sense. Include the necessary detail to address the steps your organization needs to take to bring you into a compliant state.

Populate your POA&M and follow your planned timeline. Note any changes to your targeted dates and make sure that you’re actively using this plan to help you achieve compliance.

Maintain your POA&M as you close out your tasks. Once you complete a task, move the status to complete. If you appropriately maintain your POA&M, it is easy to track your progress and note your outstanding items. It also establishes an audit trail of tasks that you are closing out.

SSP and POA&M Resources

The documents listed below are useful as you build your own SSP and POA&M.

If you have questions about how your organization can craft its SSP and POA&M, contact the experts at CyberSheath. We have helped clients assess and document their cybersecurity state, implement controls, and achieve and maintain compliance. Get started today.