Your company, the Organization Seeking Assessment (OSA), has determined that it has to achieve CMMC Level 2 certification to be in compliance with contractual requirements with the Department of Defense (DoD) as defined in 32 CFR Part 170. An initial and critical step in attaining CMMC Level 2 certification is creating a system security plan (SSP). A SSP is not required when conducting a CMMC Level 1 self-assessment, although creation of one at that level is considered to be a best practice. The SSP is completed by the OSA. This blog’s focus is on the creation process for this essential security documentation.
What Is a System Security Plan (SSP) and Why Is It Important?
According to NIST, a SSP is a “formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.”
For CMMC Level 2 certification, the SSP details how the OSA protects its information systems and sensitive data against the 14 families of recommended security requirements defined in NIST SP 800-171 R2. It describes the boundaries of the system, the IT environment, how the security requirements are implemented, connections with other systems, and personnel responsibilities. The focus is on security controls. NIST Special Publication 800-18 R1 describes the process for developing an SSP.
System Security Plan (SSP) Scope Determination
There are several steps included in the creation of the SSP. The process begins with determination of the assets in scope for a Level 2 CMMC Assessment, as defined in the CMMC Level 2 Scoping Guide.
The following categories make up the asset categories of a CMMC Level 2 assessment:
- Controlled Unclassified Information (CUI) Assets
- Security Protection Assets
- Contractor Risk Managed Assets
- Specialized Assets
- Out-of-Scope Assets
Identifying assets within the five categories stated above determines which assets are in scope. The treatment of these assets is to be documented within the SSP. An individual at the OSA is designated as responsible for the overall security documentation the approval of the SSP and any procedures developed to aid in the finalization and submission of the SSP.
Essential Components: What Should an SSP Include?
When creating a SSP, organizations must incorporate specific elements to ensure comprehensive coverage of their security posture. The following components represent the essential information that must be included in a properly structured SSP.
- Information system name and identifier
- Category of the information system in accordance with the FIPS 199 categories:
- Low,
- Moderate, or
- High
- Information system owner – defined for each system in scope
- Authorizing official and other identified contacts
- Assignment of security responsibility
- Information system operational status:
- Operational
- Under Development
- Major Modification
- Information system type:
- Major Application
- General System Support
- General system description/purpose
- System Environment
- System interconnection/information sharing
- Laws, regulations, and policies affecting the system
- Minimum security controls
- Security controls (the breakdown of the 14 areas from NIST SP 800-171 R2)
All of the security control areas defined in NIST SP 800-171 R2 must be addressed in the SSP, whether applicable or not to the OSA’s environment. All security control areas are in scope for the CMMC Level 2 assessment. Areas can be marked as not applicable to the OSA’s environment, but must include an explanation as to why the area is not applicable.
Areas that fall under the responsibility of an external subservice provider must be documented within the SSP. Cloud Security Providers (CSPs) must be FedRAMP Moderate Equivalent, as assessed by a qualified assessor, in order to meet CMMC Level 2 and handling of CUI. Compliance with FedRAMP Moderate Equivalency is assessed against DFARS clauses 252.204-7012 and 252.204.7020.
Plan of Action and Milestones (POAM)
The creation of POAMs (Plan of Action and Milestones) may be an output as a result of creating the SSP. A POAM is a corrective action plan designed for the SSP component needing remediation. The POAM documents details of the component, such as weaknesses identified, the responsible party, the remediation plan, the scheduled completion date, and ongoing status during the remediation phase. The POAMs are monitored and managed by the OSA through completion, with updates made to the SSP to show remediation. NIST provides a template as a starting point to use for documentation and remediation of POAMs that the OSA can modify as appropriate.
Maintaining the SSP Once Initially Completed
The SSP is not a static document. Once completed, it must be reviewed and updated when significant changes occur, and fully reviewed at least every three years as stated in NIST Special Publication 800-18 R1.
Changes to the SSP should be documented along with the date performed and the responsible party performing the change.
Key Takeaways for SSP Development
The SSP is a critical and required piece of the CMMC Level 2 assessment, consisting of 110 practices and 320 assessment objectives as defined in NIST SP 800-171 R2. Proper completion of all assessment objectives, which includes marking an objective as applicable or not applicable with supporting justification, is required in order for the SSP to be considered complete when being reviewed during a CMMC Level 2 assessment.
Linford and Company is currently pursuing authorization as a Certified CMMC Third-Party Assessment Organization (C3PAO) to complement our existing FedRAMP compliance and NIST assessment services. For additional guidance, we recommend exploring official CMMC resources available from the DoD CIO to support your certification journey alongside professional assessment services. If you have questions on how to prepare for an upcoming CMMC compliance assessment or having a CMMC Level 2 assessment performed, please contact us.
Learn more about the CMMC from our related blogs:
- What is the CMMC (2.0)? New DoD Guidance for Security Compliance
- What Is the CMMC Assessment Process?
- Stop Procrastinating: Your Guide to the CMMC Final Rule
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1, SOC 2, HIPAA, ISO, and CMMC audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.