<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Tyler Thepsiri

By: Tyler Thepsiri on August 16, 2024

Print/Save as PDF

What Is A NIST 800-171 System Security Plan (SSP) & How To Create One

Cybersecurity | Compliance

If you are a business leader working with the Department of Defense (DoD), you know all about the complex compliance requirements your organization needs to meet to maintain current contracts and secure future ones.

If you are a contractor or subcontractor, protecting Controlled Unclassified Information (CUI) can be particularly challenging as it’s sensitive information that doesn’t fall into the traditional top-secret bucket. CUI falls under the DFARS 7012 umbrella and requires NIST 800-171 compliance.

One of the required steps in your journey to becoming NIST 800-171 compliant is developing a System Security Plan (SSP) to ensure your business is doing everything it can to protect CUI. As an IT services provider, we are often asked about the requirements and what exactly an SSP is and what it should include to help with NIST certification.

In this article, we’ll walk you through everything you need to know about an SSP, so you’ll have the information needed to ensure your organization is in the best position to be NIST compliant—and we’ll do it without the technical language.

We work with companies of all sizes, including contractors, subcontractors, and suppliers working for the U.S. government. We’ve helped organizations just like yours through NIST 800-171 certification, so we know what’s involved and have extensive experience making sure you have an SSP that works.

After reading this article, whether you are a small or medium-sized organization or a large enterprise, you will know exactly what an SSP is, the key steps you need to take, and how to create one that not only helps you on your NIST compliance journey but also strengthens your cybersecurity posture.

What Is a System Security Plan (SSP)?

A System Security Plan (SSP) is a living, comprehensive document that explains exactly how your organization implements and uses the security controls outlined in SP NIST 800-171 to protect CUI.

You can think of it as your blueprint for how your company protects sensitive information. It must be detailed enough to show external auditors that your organization is doing everything it can to follow the NIST cybersecurity framework and comply with the security controls specified.


Related Article: What Are The 14 Controls Identified In NIST 800-171?


It’s important to understand that your SSP may be sparse at first, depending on the current state of your cybersecurity controls at the beginning of your NIST compliance journey. Over time, your SSP will grow to include all the policies, practices, and references to change management that relate to physical and IT security controls.

What Information Should Your SSP Include?

After working with many small and large organizations that handle CUI, we believe that your NIST SSP must include the following key pieces of information.

  • CUI Inventory & Environment Scope

    Your SSP must document all the various types of CUI your organization handles. On top of that it must have a detailed description of how each type of CUI is processed, stored, and shared.

  • Security Controls Implementation

You must provide a detailed description of how your organization has implemented each NIST 800-171 control. Additionally, document how it’s monitored and followed within your organization.

  • System Boundaries and Interconnections

It's important to also make sure your SSP has a detailed diagramming of your systems that are in scope for your organization and what, if any, external connections may exist.

  • Gaps and Remediation Plans

Make sure you identify and document any gaps and vulnerabilities that exist in your IT environment and infrastructure. State your plan to address them using your POAM.


Related Article: What Is A NIST 800-171 POAM (Plan Of Action & Milestones)?


Key Steps to Creating an Effective SSP

At this point, you may be a bit overwhelmed. Compliance is complex. However, as we mentioned earlier, it can be less daunting than you think, as long as you have a template that proactively takes steps to make sure that you have the right technology in place.

While every organization is different and has unique needs, here are the steps we believe every SSP must have. You can think of the steps below as a NIST SSP example or template that you can follow.

1. Understand Your IT Environment & The NIST 800-171 Framework

One of the first steps to develop an SSP is to make sure you understand your IT environment. Identify where CUI is processed, stored, and shared. Make sure you know who in your organization has access to this sensitive information and document all key devices within your network and IT infrastructure.

This step is one of the most important as it helps ensure that your SSP is as accurate as possible and accurately depicts your organization’s infrastructure and the vulnerabilities it may have.

2. Align NIST 800-171 Security Controls To Your Organization

Once you know what’s in your IT environment, the next step is to make sure that you align and prioritize the specific NIST 800-171 security controls that directly apply to your organization.

Don’t try to tackle your entire NIST 800-171 compliance journey in one shot. Not all controls are equal so it’s important to prioritize controls that apply specifically to your organization and present the highest security risk.

Your SSP will need to address each NIST 800-171 control and explain how it is implemented, monitored, and what procedures are policies are in place to make sure your organization uses it correctly to protect CUI.

3. Identify Gaps & Document Security Measures

Your SSP should have detailed explanations of what security measures you currently have in place to protect CUI. Additionally, you need to make sure that you know what security gaps exist within your IT environment so you can close these holes to prevent cyber incidents.

Start by conducting a detailed risk assessment to help you identify these vulnerabilities. You can use tools like vulnerability scans and penetration testing to help you find potential cybersecurity risks.

Once you have identified these risks, prioritize them, and align them with the matching NIST 800-171 controls to protect your data from cybercriminals. Create a Plan of Action and Milestones (POAM) and document how you will address these gaps.

4. Assign Roles and Responsibilities

Clearly define and assign roles and responsibilities for everyone involved in making decisions about your cybersecurity posture. This means you must identify the point of contact (POC) responsible for implementing, monitoring, and updating each security control.

By doing this, you ensure you hold members of your organization accountable for moving your compliance project along and keeping your data as safe as possible.

5. Regularly Review and Update Your SSP

We have often said that compliance is not a “set it and forget it” process. It’s important to continuously monitor and assess your SSP to ensure it’s as efficient and effective as possible.

With new NIST 800-171 revisions and updates to security controls, make sure you make the necessary adjustments to keep your security measures and IT environment up-to-date and stay compliant.


Related Article: NIST 800-171 Rev 3: What This Update Means For Everyone Handling CUI


Don’t forget to document any changes and update your SSP when you make them. You now have an example of a NIST SSP template that you can follow to help your organization on its compliance journey.

It’s important to note that while we have found that most organizations can successfully utilize this template to create an effective and efficient NIST 800-171 SSP, your organization may need to tweak finer details depending on its specific needs and how quickly you need to become NIST compliant.

What’s The Bottom Line

You now have a thorough understanding of what an SSP is, what should be included in it, and how you can create an effective one. Having a SSP is crucial for your business if you handle CUI and want to be NIST 800-171 compliant.

Making sure you have an SSP is not just about ticking a box, it’s about ensuring your organization has the right policies, procedures, and technology in place to safeguard sensitive government information.

Furthermore, it paves the way for a smooth compliance process, helping your business retain current government contracts and position itself as a leader in securing new ones.

As you begin the process of developing your SSM, it will become clear whether you have the internal resources you need or whether you’d benefit from collaborating with an external IT service provider.

Only you can decide if you have the internal resources you need for success. Our experience has shown that companies that are successful at developing an effective SSP using internal staff typically have the following characteristics:

  • a large enough internal IT team that several of them can pull away for an extended period to hyper-focus on the SSP without impacting your internal IT support needs and
  • certified cybersecurity experts on staff who have prior cybersecurity compliance experience.

If your company doesn’t fit the above criteria, working with an outside consultant may offer advantages by avoiding common mistakes that could compound the time and cost involved in reaching compliance.

If you decide to explore options for external IT support, we encourage you to compare several providers so that you find one that is the right fit for your organization. We take this advice so seriously that we’ve even done some of the legwork for you.

See for yourself how Kelser and one of our competitors (Charles IT) compare based on publicly available information from the websites of both organizations. We know it’s different that we offer head-to-head comparisons, but the truth is that each organization has strengths.

Be wary of any external provider that comes in assuming they know what’s best for you without even having a conversation about your business, your goals, and your current technology pain points.

While there is a commitment of time, energy, and resources involved in developing a POAM, the value delivered is worth the investment. Your organization will have a clear plan of action upon which to base budgets and resource allocation.

It can also get you back to working on what you do for the Defense Supply Chain rather than laboring towards being able to work with them again.

Additionally, compliance with the controls in NIST SP 800-171 is a steppingstone. The DoD’s Cybersecurity Maturity Model (CMMC), based on NIST 800-171, is the next step in certification.

Kelser has helped businesses like yours become compliant with a number of standards and frameworks (NIST, CMMC, HIPAA) over the years. Our staff knows what you're going through and how to get you to your goal of compliance.

Use the button below to start a conversation with us about any questions you have about NIST 800-171 or CMMC certification or other compliance topics.

Talk with a Human

About Tyler Thepsiri

With more than 10 years in the IT industry, Tyler is able to adapt quickly to almost any technological issue. He understands how systems should work, and specializes in security and compliance.

Suggested Posts

Visit Our Learning Center