NIST 800-171 System Security Plan (SSP)
What Is The NIST 800-171 System Security Plan (SSP)?
The SSP is meant to be a "living document" that captures pertinent information on the controls implementation for NIST 800-171. Specifically, the SSP template covers all Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls that are listed in Appendices D and E of NIST 800-171. The SSP can serve as a key element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.
It is important to understand that there is no officially-sanctioned format for a System Security Plan (SSP) to meet NIST 800-171 compliance requirements. This template is based on SSP requirements that are used for other US government compliance requirements for SSPs, but it is tailored to document the entire Controlled Unclassified Information (CUI) environment for an organization.
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The SSP contains the framework you need to document your Controlled Unclassified Information (CUI) environment, which is a requirement of NIST 800-171.
What Problems Does The SSP Solve?
- Lack of In House Security Experience - Writing cybersecurity documentation is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The SSP is an efficient method to obtain a quality SSP template for your organization!
- Compliance Requirements As a DoD or US government contractor, having a SSP is a requirement of NIST 800-171.
A key concept to keep in mind with the SSP is that it should be complete enough for a reasonable person to pick up, read through and understand the following information:
- The definition of CUI, in regards to the company’s operations. This is how CUI is defined in contracts.
- Where CUI is stored, transmitted or processed.
- What controls are in place to protect CUI as it is stored, transmitted and processed.
- Any deficiencies that exist in protecting CUI, if applicable.
- Remediation plans address known deficiencies, if applicable.
How Does The SSP Solve These Problems?
- Clear Documentation - The SSP provides a comprehensive template to document your CUI environment. This equates to a time savings in staff and consultant expenses!
- Time Savings - The SSP can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific SSP needs.
- Alignment With Leading Practices - The SSP is written to align with NIST 800-53 controls for NIST 800-171 compliance.
Product Example - NIST 800-171 SSP
The SSP is based on existing formats that are used for FedRAMP, but is designed specifically for NIST 800-171 to document the controls affecting your Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls. The SSP is meant to be a "living document" that addresses the who, what, why, when, where, who and how of a security program.
|Watch Our Product Walkthrough Video||View Product Example|
Cost Savings Estimate - NIST 800-171 System Security Plan (SSP)
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SSP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
- For your internal staff to generate comparable documentation, it would take them an estimated 90 internal staff work hours, which equates to a cost of approximately $6,900 in staff-related expenses. This is about 2-3 months of development time where your staff would be diverted from other work.
- If you hire a consultant to generate this documentation, it would take them an estimated 45 consultant work hours, which equates to a cost of approximately $13,500. This is about 1-2 months of development time for a contractor to provide you with the deliverable.
- The SSP is approximately 7% of the cost for a consultant or 13% of the cost of your internal staff to generate equivalent documentation.
- We process most orders the same business day so you can potentially start working with the SSP the same day you place your order.
The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed.
NIST 800-171 System Security Plan (SSP) Template | Plan of Action & Milestones (POA&M) Template Included
At no additional cost, your purchase of the System Security Plan (SSP) template comes with a Microsoft Excel template for a Plan of Action and Milestones (POA&M) that is editable for your needs.