system hardening using DISA STIGS

How to Create a System Security Plan (SSP)

In short, a system security plan lists an organization’s cybersecurity requirements and explains how it meets them. We will go into more detail below.

Join our newsletter:

What is a System Security Plan (SSP) Used For?

A system security plan describes an organization’s “information system”, its structure, stakeholders, system components, its security requirements, and how an organization has implemented its cybersecurity requirements. Companies with a cybersecurity maturity model certification (CMMC) requirement of level three or higher will need to create a system security plan. Companies with level one and two requirements are not required to have one (as of this writing) but it is still a good idea to create one.

How to Develop a System Security Plan (SSP)

The first step is to get all the relevant stakeholders together to discuss the task. Bring together folks from executive management, IT, security, and contract compliance. Work together to scope out your information system. This includes determining the type of information it processes (e.g., CUI and or FCI), which systems are used to support DoD contracts, and what business processes your information system supports. Determine what cybersecurity requirements apply to your system (e.g., CMMC level three). Then conduct a gap analysis or assessment to determine which cybersecurity requirements your company has implemented and which ones are missing. Document the implementation of your cybersecurity requirements in the system security plan and document how you plan to implement the absent requirements. Reach out to relevant stakeholders throughout the development of your SSP. Going forward update your SSP to reflect changes to your security requirements and information system.
SSP Inputs

What is in a System Security Plan (SSP)?

  • A name for your information system (e.g., ACME Corp’s Information System)
  • Information System Categorization (e.g., Moderate because the organization processes CUI)
  • Important stakeholder (e.g., system owner, information owner, system security officer)
  • A general description of the information system (e.g. what kind of information does it process, what kinds of business processes does it support)
  • A general description of the information processed by the information system (e.g., it processes CUI)
  • A description of the system environment (e.g. a network topology and narration to explain it.)
  • A list of hardware and software used in your information system.
  • Any system interconnections you may have. This includes listing other systems with access to your system and any access your system has to other systems.
  • A list of your cybersecurity requirements (e.g. your level 3 CMMC practices)
  • For each cybersecurity requirement listed, specify if it has been implemented or not.
  • For each cybersecurity requirement listed, specify how you implemented it, or plan to.
  • A simple table to record changes to your SSP is also useful.

System Security Plan (SSP) Templates

NIST SP 800-18 R1 includes a system security plan template.
NIST also has an SSP template from the NIST SP 800-171 days. It is still relevant but will need some modification to better reflect the new CMMC requirements.


If you have any questions about system security plans feel free to reach out to us at info[@]

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.