System Security Plan
What Is a System Security Plan?
A system security plan (SSP) is a formal document that provides an overview of an organization’s security requirements for a system and the existing or planned security measures for meeting those requirements. It describes the system and identifies the security controls and their implementation.
An SSP provides an organization with several cybersecurity benefits. It informs and aligns the company around a coherent security posture and set of operating controls. It assists with the management of those controls by identifying the responsibilities, accountability, and expected behavior of people who access the system. Documenting risks and mitigation strategies helps prevent security problems and prepares the company to respond swiftly and effectively to security incidents.
For legal protection, a system security plan also facilitates the organization’s contractual requirements and adherence to relevant compliance standards, such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) and the US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC).
What Is the NIST SP 800-171 System Security Plan?
Since November 2016, the system security plan has been part of the NIST SP 800-171 security requirement set forth by the Defense Federal Acquisition Regulation Supplement (DFARS). The DoD’s latest update to CMMC also mandates the SSP.
NIST SP 800-171 provides recommended requirements for protecting controlled unclassified information (CUI) confidentiality. The control’s security requirement 3.12.4 states that organizations must “develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationship with or connections to other systems.”
Defense contractors must implement NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA, or other Federal or state agencies’ supply chain, NIST SP 800-171 implementation is required. According to the CUI SSP cybersecurity template distributed by the NIST, an organization’s chief information officer (CIO) and systems security officers are responsible for the system security plan.
At a Glance: Who Must Follow a NIST SP 800-171 System Security Plan -Contractors for the U.S. Department of Defense -Any organization that provides financial services to the U.S. Department of Defense -Consulting firms and consultants who work with federal contracts -Manufacturing companies that furnish products and goods to the government |
NIST SP 800-171 Rev. 2 includes the following control families to organize system security plan requirements for controlled unclassified information (CUI). The control families are based on core security functions. Over time, it is likely that NIST SP 800-171 will continue to be updated, to incorporate new security controls as cyber-threats evolve.
Access control | Control who is authorized to access CUI and system resources. |
Awareness and training | Educate and train staff on adequate CUI handling. |
Audit and accountability | Track who is accessing CUI and what falls under their responsibility. |
Configuration management | Maintain secure configurations, by following necessary guidelines. |
Identification and authentication | Oversee and track all CUI access. |
Incident response | Be prepared and have response plans for any data breach. |
Maintenance | Protect CUI with ongoing security and change management. |
Media protection | Ensure secure handling of backups, external drives, and backup equipment. |
Physical protection | Grant access to CUI in physical spaces only to authorized personnel. |
Personnel security | Train personnel to recognize and avert insider threats. |
Risk assessment | Implement penetration testing and create a CUI risk profile. |
Security assessment | Confirm security procedures are in place and working. |
System and communications protection | Ensure communications channels and systems are secure. |
System and information integrity | Mitigate new vulnerabilities and system downtime. |
The US Department of Defense (DoD) created CMMC based on NIST SP 800-171 Rev. 2 and other cybersecurity standards. CMMC helps to ensure that companies handling national security information implement and comply with these standards by documenting their procedures, management, and reviews of cyber events.
While NIST SP 800-171 Rev. 2 is a set of recommended requirements for protecting CUI confidentiality, CMMC is designed to enforce the protection of sensitive defense-related information across the Defense Industrial Base (DIB).
Companies have to conform with CMMC at different levels, depending on the type and sensitivity of the information being handled. CMMC Level 2 requires compliance verification by a third-party assessment organization (C3PAO), and CMMC Level 3 requires verification by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC).
How Often Should a System Security Plan Be Updated?
Without regular updates to their system security plan, organizations are at risk of data breaches and could face significant financial and operational consequences. If an organization’s SSP fails to reflect the current operational state of its business environment, the organization could also be at risk of non-compliance with contracts and may face prosecution under the False Claims Act.
Department of Justice Actions for NIST SP 800-171 Special Security Plan Failures In 2021, the Department of Justice (DOJ) announced the Civil Cyber-Fraud Initiative. This serves as an important enforcement tool for civil fraud, as well as procurement and cybersecurity requirements defined in government contracts. The Civil Cyber-Fraud Initiative leverages the False Claims Act in three ways to hold companies accountable. It can levy charges against organizations that: -Knowingly or unknowingly misrepresent the cybersecurity practices of their organization -Fail to follow required cybersecurity standards, which should be covered in the organization’s system security plan -Knowingly failing to report cybersecurity incidents in a timely manner The penalties for non-compliance are steep. In the first settlement by the DOJ of a Civil Cyber-Fraud case under its Civil Cyber-Fraud initiative, an organization was required to pay $930,000 to settle False Claims violations related to falsely representing compliance with contractual requirements. Subsequently, the DOJ announced a $4 million settlement with another organization to resolve claims that it failed to meet cybersecurity requirements. |
To avoid these potential consequences, a system security plan should be viewed as an evolving document that is reviewed and updated frequently to demonstrate robust SSP cybersecurity and compliance. The frequency of system security plan updates should be based on the following criteria
- The organization’s technical environment
- The level of risk associated with systems and organizational data
- Changes in the organization’s security posture
- Changes to applicable laws and regulations
Whenever an organization adds a new process or tool, creates a new user role, or materially changes its IT environment, it is important to check whether it impacts your system security plan. Anytime a new cyberthreat or risk is identified, appropriate updates should be made, and the system security plan should be revised. New laws and regulations should be monitored to identify new requirements that should be addressed in the system security plan.
For companies needing to follow NIST SP 800-171 requirements and attain CMMC certification, the system security plan should also be updated and completed prior to third-party assessment.
What Are the Different Types of Security Plans?
There are several types of security plans that are used by organizations to address different functions. The specifics of deployment of these security plans depend on the size and scope of the organization’s needs. Most organizations employ aspects of most of these security plans. While each of these has a different focus, all effective security plans share common characteristics, including:
- Alignment with the organization’s risk tolerance
- Buy-in and support of senior management for the program and enforcement of policies
- A clearly articulated purpose and objectives
- A defined scope
- Feasibility to implement and enforce
- Reflection of the company’s current environment (e.g., technology, trends, and regulations)
- Statement of applicability that clarifies who the plan applies to (e.g., specific users or geographical regions)
- Terminology that is clear and broadly understood
Organizational security plans
Also referred to as program policies, organizational security plans define an organization’s overall information security program. This blueprint of programs and policies provides a foundation for other security plans. Organizational security plans also articulate the objectives and scope of the program, including the applicable compliance requirements and roles and responsibilities. Program policies do not delve into the tactics and are technology-agnostic. Components of an organizational security plan include:
- Risk management plans that identify risks to digital assets and strategies for risk assessment, mitigation, and management
- Business continuity plans (BCP) to ensure continuity of operations by mitigating service disruptions after a disaster or major system incident
- Incident response plans include procedures for responding to a security breach as it occurs
- Security awareness and training plans to educate users on threats, security policies, and best practices
Issue-specific security plans
Issue-specific security plans or policies build upon general security policies. They focus on current areas of relevance, concern, and even controversy. They provide more concrete guidance on topics of special concern to an organization’s workforce. Examples include:
- Use of Generative AI policy
- Internet access policy
- Network security policy
- Bring-your-own-device (BYOD) policy
- Social media policy
- Remote work policy
- Acceptable use plans that lay out rules and regulations for employees’ use of company assets
- Policies related to email security, such as rules that discourage phishing attacks
- Data protection and privacy plans that establish rules for how data can be collected, stored, and used
Issue-specific policies usually come from a senior official in the organization. They typically include a statement about the issue, the organization’s position, and its applicability. They also outline roles and responsibilities for the policy, including required approval authority.
System-specific security plans
Unlike issue-specific plans, system-specific security plans are often most relevant to the technical personnel that maintain them. A system-specific security plan is the most granular type of security plan. It targets system-specific aspects of the larger organizational plan, such as a firewall, web server, or individual computer, focusing on the cybersecurity policies for them. Two categories of system-specific security policies are directives on system implementation (i.e., managerial guidance) and configuration and user behavior to maximize security of the information on the system (i.e., technical specifications).
According to NIST, these plans should include a security objective and operational rules. Each objective should be achievable and include statements about actions with respect to resources. Operating rules should describe who can take what action using what system resource. Examples of a system-specific security policy are:
- Access control plans specifying which employees can access which resources
- Rules related to BYOD and how or if these devices may be connected to an organization’s network
- Mobile device management (MDM) plans that focus on mobile device security (e.g., use of encryption and multi-factor authentication)
Physical security plans
Physical security plans protect an organization’s physical assets, including buildings, rooms, vehicles, inventory, machines, and IT equipment such as servers, computers, and hard drives. They define how those assets are protected and who is authorized to access, handle, move, and monitor them. Their purpose is to protect against:
- Computer service interruptions
- Physical damage
- Unauthorized access to company data
- Loss of control over system integrity
- Physical theft
Physical security plans include the following:
Physical access | Restrict the movement of people and equipment into or out of a physical area. |
Fire safety | Limit the danger and detection of fire from ignition and fuel sources, and outline how fire should be extinguished. |
Supporting utilities | Minimize risk from systems such as heating, air-conditioning, electric power, water and sewage. |
Structural collapse | Cover the potential impact of a compromised structure from building load, natural disasters, and fire. |
Plumbing leaks | Understand potential disruption from plumbing leaks. |
Interception of data | Anticipate problems with unauthorized data access from direct observation of data, interception of data transmission, or electromagnetic interception |
Mobile and portable systems | Analyze the additional risk from the movement of physical equipment, including portable devices such as laptops. |
Why Non Federal Organizations Can Use a System Security Plan
For non-federal organizations, a system security plan provides proven guidance and best practices for protecting all types of sensitive information. Using a system security plan to inform cybersecurity decisions and programs helps organizations ensure that they are taking necessary precautions to protect sensitive information, which meets the company’s internal needs and/or helps to address many security requirements.
Using an SSP,, which describes how security requirements are met and explains what changes or additions will be made to address known or anticipated threats, helps to identify gaps and offers opportunities for improvement. Whether working with federal agencies or not, creating and maintaining a system security plan delivers unquestionable value to every organization.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.
Last Updated: 4th November, 2024