The NIST 800-171 System Security Plan (SSP) is a required living document that describes the system boundary, environment of operation and how NIST SP 800-171 security requirements are implemented for systems that process, store or transmit Controlled Unclassified Information (CUI).
An SSP should not replace policies, standards and procedures. Instead, it should reference and summarize the controls, people, processes and technologies used to protect CUI. It should include system components, data flows, responsible stakeholders, control implementation narratives and related POA&M items for deficiencies.
