How to Create a System Security Plan

You know what CUI is, and the hard requirement to figure out how to protect it. What's next? Simple, make a system security plan.  There are several options to choose from, but I'd recommend you start with the basics

The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system.  The SSP doesn't have to be hard, but does need to be complete. I'd argue also, in many of the small companies we've visited in the last few months, where there's one flat network, the SSP simply covers the entire environment. Others who subnet off government programs into their own environments may have several sections covered in the SSP. 

An Unclassified System Security Plan (SSP) is not a single document. It is a collection of documents that tell the story of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system.

The system security plan reflects input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager.

Creating the SSP is a three-step process:

  • Artifacts (documents) are collected that communicate the current system state. These documents include policies, procedures, and tech used for that system.

  • Any documentation that does not exist must be created based on interviews and communication with the organization.

  • Finally, all the pieces are inputted into a template to create a final product.

Rather than reinvent the wheel, here's the link for the System Security Plan for CUI at NIST.

We (Trusted Internet) don't do audits or System Security Plans, but we have a great partner in Huntsville, AL  who does. In fact, their main business is compliance, and they've been helping companies with 800-171 requirements from the beginning.  For more information, please feel free to reach out directly to H2LSolutions.