Standing man looking at iPad

Components of an Effective System Security Plan

As your organization works to improve its security posture, a system security plan (SSP) is a good tool to help you achieve your objectives. Not only that, an SSP is required for organizations that handle controlled unclassified information (CUI) and are subject to the DFARS clause 252.204-7012, which requires compliance with the NIST 800-171 cybersecurity framework.


What is an SSP?

The SSP is a crucial document that serves as a guide for implementing and maintaining effective security controls and helps organizations identify and address security risks. It’s worth noting that the SSP is not only written from the perspective of what exists in your environment today, but as a roadmap for your organization’s future security posture to ensure that your company meets its compliance goals.

The NIST 800-171 framework provides a set of security requirements that organizations must implement to protect CUI. The SSP is a key component of the NIST 800-171 compliance process and provides a comprehensive overview of your organization’s cybersecurity program.

According to NIST 800-171A and the CMMC 2.0 Assessment Guide, the following control objectives must be addressed to have a fully defined SSP. CMMC Practice CA.L2-3.12.4 specifies that all of the following be done.

  • A system security plan is developed.
  • The system boundary is described and documented in the system security plan.
  • The system environment of operation is described and documented in the system security plan.
  • The security requirements identified and approved by the designated authority as non-applicable are identified.
  • The method of security requirement implementation is described and documented in the system security plan.
  • The relationship with or connection to other systems is described and documented in the system security plan.
  • The frequency to update the system security plan is defined.
  • System security plan is updated with the defined frequency.

To further guide your efforts, we recommend that a well-developed SSP typically includes the following sections:

  1. Provide an overview of your organization’s information systems and the types of CUI that they handle.
  2. Describe the types of users and their responsibility and functions.
  3. System boundary: Define the system’s boundaries and identify the hardware, software, and network components included in the system.
  4. System environment: Describe the physical and logical environment in which the system operates, including any external connections or interfaces.
  5. System interconnections: Identify any external systems or networks that are connected to the system and describe the security controls in place to protect those connections.
  6. System security control requirements: Outline the security requirements that are applicable to the system based on the NIST 800-171 framework and describe the specific security controls that have been implemented to meet the security requirements.
  7. Additional documentation: Provide any relevant system documentation, including security policies, procedures, and training materials, as well as their location.


What does that all mean?

The SSP itself states what your system is and identifies your authorization boundary, which outlines the box that CUI flows within. As part of your system environment, you also need to specify interconnections. Do you have any collaboration outside business development, or any ERPs or HR systems that reach out? Do you collaborate with any government contracting software? All of those external connection points need to be addressed.

In terms of your implementation, perhaps your goal is to meet the requirements of the NIST 800-171 controls, or you might even have your sights set higher. When you go through an assessment and provide your SSP to the government, the requesting entity can quickly determine whether your company has a strong security posture or not. Moving forward, it’s possible that the government will start asking companies for their SSPs to determine security maturity and award contracts based on that metric.


If you have any questions about how to get started building your SSP, contact the experts at CyberSheath. We have the knowledge and expertise to help your company become more secure and as you work to meet the requirements of NIST 800-171.

Join us for CMMC CON 2024 on Sept. 25, 2024, at 9am EST for a free, virtual, one-day conference focused on safeguarding against cyberthreats.
This is default text for notification bar