A System Security Plan (SSP) is an active document outlining how each objective of NIST 800-171 is met within your organization and what technologies, policies, and processes are in place to implement these requirements. The SSP is a fundamental and required document for contractors pursuing CMMC compliance and without it, certification is impossible. This blog will outline what an SSP is, what it consists of, and how it is created.
What is an SSP for CMMC compliance?
Your SSP is the living, dynamic, and comprehensive document that proves your organization is complying with NIST 800-171 requirements. An SSP is specifically designed to explain your organizations handling of controlled unclassified information (CUI). You can think of it as a blueprint, showing your third-party auditor where CUI exists in your business and what policies are in place to protect it. The SSP also defines the personnel responsible for handling and securing CUI. An SSP is an integral part of the CMMC process as this document is what C3PAO's will examine to determine whether or not a contractor has earned their certification. Under CMMC, it's not enough to simply "check all the boxes", you must also have proof.
Is an SSP mandatory?
Yes. NIST 800-171 explicitly states that organizations must "develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationship with or connections to other systems.” Additionally, many C3PAOs will deem an organization "not ready for assessment" if they do not have an up-to-date or sufficiently detailed SSP.
Several regulatory clauses require an SSP including:
What is Included in an SSP?
Your SSP will be a substantially large document as it must cover each of the 320 assessment objectives in detail. An SSP must include your organizations scope-- where CUI is present within your organization. This includes what people, devices, and applications are able to store, process, or transmit CUI.
Your SSP should address:
- What servers and workstations have access to CUI
- Are there any cloud service providers (CSPs) or third-party organizations that may access CUI
- How does CUI enter/exit your environment
- A description of how each NIST 800-171 requirement is being addressed.
- Any shared responsibility matrices (SRMs) for MSPs or CSPs
- Roles and responsibilities
How to Create an SSP?
Creating your SSP is an essential step in achieving CMMC compliance. This means it is crucial that your organization does it correctly and provides your C3PAO with a comprehensive and accurate representation of your compliance posture.
How should your organization go about creating its SSP?
Identify Your Scope
Creating an accurate SSP is impossible without an accurate scope of how CUI is handled within your organization. You will need to develop key artifacts including a Data Flow Diagram that maps how CUI enters your environment, where it is allowed to travel to, how it is stored, and how it exits your system. Your scope must include servers, workstations, applications, personnel, external service providers, security protections assets, and any other entity that may have access to CUI. Your CUI boundary will give you an outline of what must be included within your SSP.
Conduct a Gap Assessment
An assessment of your organizations current security and compliance posture is necessary in determining what work needs to be done to achieve CMMC compliance. Assess your organization against each of the 320 assessment objectives required by NIST 800-171 to determine where your gaps are and what controls you already have covered. CorpInfoTech offers CMMC gap assessments to determine your scope, find where your gaps are, and deliver a POAM addressing how we plan to remediate them.
Remediate POAMs
In order to pass a CMMC third-party audit you will need to score a 110. Utilizing your internal POAM from your gap assessment, ensure that your organization has covered each of the 320 assessment objectives listed in NIST 800-171. Because CorpInfoTech is a CMMC L2 certified MSP, we are able to flow down 200+ of the 320 controls to our clients.
Map to NIST 800-171
Once you've determined you are compliant with NIST 800-171 requirements, you will need to document how all 110 controls (in addition to the 320 objectives) are implemented. Your SSP should include a description of what technology or policy was implemented, what controls it applies to, and who is responsible for the action.
FAQs about SSPs
How long should my SSP be?
There is no required length for an SSP, however it should be comprehensive and detailed. An average SSP will consist of approximately 100-200 pages.
How often should you update your SSP?
Your SSP is a living document. It should be reviewed and updated frequently to accurately reflect your organizations compliance posture. If your business updates a process, adds a new user, or implements a new tool, your SSP must be reviewed and updated if necessary.
Am I required to have an SSP?
Yes. In order to comply with CMMC level 2 your organization must have an SSP.
CorpInfoTech, a CMMC Compliant MSP
CorpInfoTech is a CMMC level 2 certified MSP that offers IT, cybersecurity, and compliance solutions to SMBs. Through TAS for CMMC Compliance, we are able to flow down 200+ of the 320 required objectives under CMMC. This makes achieving compliance efficient, cost-effective, and flexible to your business needs. Through our 4 certified SRMs, we are able to provide fully or co-managed services for on-prem, enclave, and hybrid environments.
CorpInfoTech eliminates the uncertainty to CMMC - help make it simple for your organization!
Key Takeaways
- An SSP is a living document that outlines how your organization is implementing the requirements of NIST 800-171
- An SSP is required for CMMC level 2 compliance and other defense related clauses
- Your SSP should include an explanation and proof of how each NIST 800-171 control is addressed in your organization
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
