A Practical Guide to Your System Security Plan (SSP) for CMMC/NIST 800-171

Posted by: Kevin Hancock March 23, 2023 CMMC, Compliance

With the growing importance of cybersecurity in today’s world, businesses need to ensure that their information systems are adequately protected. The Cybersecurity Maturity Model Certification (CMMC) and NIST 800-171 are two key frameworks that help organizations  achieve this goal. Bookmark this blog as a practical guide to developing your System Security Plan (SSP) for CMMC/NIST 800-171 compliance. 

Understanding CMMC and NIST 800-171 

CMMC is a unified cybersecurity standard for the Defense Industrial Base (DIB), focused on protecting controlled unclassified information (CUI) in non-federal systems. NIST 800-171, on the other hand, is a set of guidelines published by the National Institute of Standards and Technology, which provides recommended requirements for protecting the confidentiality of CUI. 

When you’re ready to start developing your System Security Plan (SSP), follow the steps below to be sure you cover all the bases. 

1. Develop and Implement Your SSP 

As you work on your SSP, keep the following questions in mind:  

  • Where is information entering our system? 
  • Where is the information stored — on-premises, cloud, backup/DR?  
  • What individuals interact with the data?  
  • How do they use the data  
  • How do they store, process, and transmit the data? 
  • Who supports the systems? 
  • Where are the users physically located? 

Identify and Categorize Information Systems 

The first step in developing your SSP is identifying all information systems that process, store, or transmit CUI. You should categorize these systems according to their security requirements based on the CMMC level you aim to achieve and the sensitivity of the information they handle. 

Assess Your Current Security Controls 

Review your current security controls and assess them against the requirements outlined in NIST 800-171. Identify any gaps and create a plan to address these areas of non-compliance. Remember that the CMMC framework is cumulative, meaning that each level includes the requirements of the previous levels. 

With a clear understanding of the requirements, develop your SSP by documenting all relevant security controls, policies, and procedures. Your SSP should include: 

  • An overview of your organization’s security policies 
  • A detailed description of your information systems and their environments 
  • A description of the security controls implemented in your systems 
  • A plan of action and milestones (POA&M) to address any identified gaps 

2. Conduct Regular Assessments 

Perform periodic assessments to ensure that your SSP remains up-to-date and reflects the current state of your information systems. Assessments can be performed internally or through third-party providers. The results should be documented in a Basic Assessment Report (BAR) and uploaded to the Supplier Performance Risk System (SPRS), as required by the Department of Defense (DoD). 

Train Your Workforce 

Your employees play a critical role in maintaining the security of your information systems. Provide regular training on cybersecurity best practices, and ensure your staff knows their responsibilities in protecting CUI. 

3. Maintain and Update Your SSP 

Your SSP should be a living document, regularly reviewed and updated to account for changes in your information systems or new threats. As your organization evolves, your SSP should evolve with it. 

Your SSP should include, but not be limited to, the following elements:   

  • Data Flow Diagram 
  • Plan of Action & Milestones 
  • Asset Inventory 
  • Users 
  • Periodic Reviews 

Developing an SSP that meets the requirements of CMMC/NIST 800-171 is a critical step for organizations looking to protect their valuable information and maintain compliance with federal regulations. By following the practical steps outlined in this guide, you can ensure that your organization is well-prepared to meet cybersecurity challenges and protect the sensitive data you handle. 

Note About Third Parties 

When working with third parties, such as cloud service providers, Cloud Service Providers, keep in mind this text from DFARS 7012*: (D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage. 

Leverage our Expertise to Save Resources and Time 

We understand there’s a lot to consider and do when putting together and maintaining your SSP. Exostar solutions can help you achieve compliance and protect sensitive information. Explore the advantages with a free trial of Exostar’s Policy Pro and Certification Assistant. 

You’re invited to learn more in the on-demand webinar below.