What is a System Security Plan (SSP)?

Direct Answer

A System Security Plan (SSP) is a living document that is used to describe the applicable security requirements and the controls in place to meet those requirements.

The SSP is meant to leverage existing content (e.g., policies, standards, procedures, etc.) and is not meant to replace it.

A SSP typically includes:

Applicable contracts;
System boundaries and architecture;
Stakeholder identification;
Security controls implemented (e.g., technical, administrative and physical); and
Assessment and authorization status.

The SSP helps organizations manage risk, ensure consistent control implementation and provide auditors with evidence of security governance.

Keep Exploring

Relevant ComplianceForge Resources

NIST 800-171 Compliance Program (NCP)
NIST SP 800-171 Rev. 3 compliance information
ComplianceForge NIST 800-171 & CMMC resources

References

Authoritative Sources

NIST SP 800-18 Rev. 1 Guide for Developing Security Plans for Federal Information Systems
NIST SP 800-171 Rev. 3
NIST SP 800-171A Rev. 3 assessment procedures
DFARS 252.204-7012
NIST Cybersecurity Framework (CSF) 2.0