system hardening using DISA STIGS

How to Create a System Security Plan (SSP)

In short, a system security plan lists an organization’s cybersecurity requirements and explains how it meets them. We will go into more detail below.

Join our newsletter:

What is a System Security Plan (SSP) Used For?

A system security plan describes an organization’s “information system”, its structure, stakeholders, system components, its security requirements, and how an organization has implemented its cybersecurity requirements. Companies with a cybersecurity maturity model certification (CMMC) requirement of level three or higher will need to create a system security plan. Companies with level one and two requirements are not required to have one (as of this writing) but it is still a good idea to create one.

How to Develop a System Security Plan (SSP)

The first step is to get all the relevant stakeholders together to discuss the task. Bring together folks from executive management, IT, security, and contract compliance. Work together to scope out your information system. This includes determining the type of information it processes (e.g., CUI and or FCI), which systems are used to support DoD contracts, and what business processes your information system supports. Determine what cybersecurity requirements apply to your system (e.g., CMMC level three). Then conduct a gap analysis or assessment to determine which cybersecurity requirements your company has implemented and which ones are missing. Document the implementation of your cybersecurity requirements in the system security plan and document how you plan to implement the absent requirements. Reach out to relevant stakeholders throughout the development of your SSP. Going forward update your SSP to reflect changes to your security requirements and information system.
SSP Inputs

What is in a System Security Plan (SSP)?

  • A name for your information system (e.g., ACME Corp’s Information System)
  • Information System Categorization (e.g., Moderate because the organization processes CUI)
  • Important stakeholder (e.g., system owner, information owner, system security officer)
  • A general description of the information system (e.g. what kind of information does it process, what kinds of business processes does it support)
  • A general description of the information processed by the information system (e.g., it processes CUI)
  • A description of the system environment (e.g. a network topology and narration to explain it.)
  • A list of hardware and software used in your information system.
  • Any system interconnections you may have. This includes listing other systems with access to your system and any access your system has to other systems.
  • A list of your cybersecurity requirements (e.g. your level 3 CMMC practices)
  • For each cybersecurity requirement listed, specify if it has been implemented or not.
  • For each cybersecurity requirement listed, specify how you implemented it, or plan to.
  • A simple table to record changes to your SSP is also useful.

System Security Plan (SSP) Templates

NIST SP 800-18 R1 includes a system security plan template.
NIST also has an SSP template from the NIST SP 800-171 days. It is still relevant but will need some modification to better reflect the new CMMC requirements.


If you have any questions about system security plans feel free to reach out to us at info[@]

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.