What is a System Security Plan?
A System Security Plan (SSP) is a living document that is used to describe the applicable security requirements and the controls in place to meet those requirements. The SSP is meant to leverage existing content (e.g., policies, standards, procedures, etc.) and is not meant to replace it.
A SSP typically includes:
- Applicable contracts;
- System boundaries and architecture;
- Stakeholder identification;
- Security controls implemented (e.g., technical, administrative and physical); and
- Assessment and authorization status.
The SSP helps organizations manage risk, ensure consistent control implementation and provide auditors with evidence of security governance.