A system security plan describes an organization’s “information system”, its structure, stakeholders, system components, its security requirements, and how an organization has implemented its cybersecurity requirements. Companies with a cybersecurity maturity model certification (CMMC) requirement of level three or higher will need to create a system security plan. Companies with level one and two requirements are not required to have one (as of this writing) but it is still a good idea to create one.
How to Develop a System Security Plan (SSP)
The first step is to get all the relevant stakeholders together to discuss the task. Bring together folks from executive management, IT, security, and contract compliance. Work together to scope out your information system. This includes determining the type of information it processes (e.g., CUI and or FCI), which systems are used to support DoD contracts, and what business processes your information system supports. Determine what cybersecurity requirements apply to your system (e.g., CMMC level three). Then conduct a gap analysis or assessment to determine which cybersecurity requirements your company has implemented and which ones are missing. Document the implementation of your cybersecurity requirements in the system security plan and document how you plan to implement the absent requirements. Reach out to relevant stakeholders throughout the development of your SSP. Going forward update your SSP to reflect changes to your security requirements and information system.
What is in a System Security Plan (SSP)?
A name for your information system (e.g., ACME Corp’s Information System)
Information System Categorization (e.g., Moderate because the organization processes CUI)
Important stakeholder (e.g., system owner, information owner, system security officer)
A general description of the information system (e.g. what kind of information does it process, what kinds of business processes does it support)
A general description of the information processed by the information system (e.g., it processes CUI)
A description of the system environment (e.g. a network topology and narration to explain it.)
A list of hardware and software used in your information system.
Any system interconnections you may have. This includes listing other systems with access to your system and any access your system has to other systems.
A list of your cybersecurity requirements (e.g. your level 3 CMMC practices)
For each cybersecurity requirement listed, specify if it has been implemented or not.
For each cybersecurity requirement listed, specify how you implemented it, or plan to.
A simple table to record changes to your SSP is also useful.