How to write your own SSP (System Security Plan)

How to prepare and write an SSP (System Security Plan) for business cyber continuity

The CMMC 2.0 certification process requires that you generate and follow an SSP (System Security Plan).

But that is not what you should start with!

Look at the graph below.

CMMC-2-0-certification

Your first step is to identify all risks as per NIST 171 and NIST 172 and your level of CMMC 2.0 (Levels 1, 2 or 3).

If you only have to comply with Level 1 of CMMC 2.0, then you will identify fewer risks, because you have to comply with less of the NIST 171 and NIST 172 requirements (just 15).

In contrast to the 15 requirements at Level 1, you would have to comply with 110 for Level 2 and 134 at Level 3!

In order to write your System Security Plan, you first need the results of your Risk Assessment.

Kloudwerk can assist you in running such as Risk assessment process for you – just contact us to discuss your needs.

The next step after the Risk Assessment is the Gap Analysis process. It identifies the failed requirements of the ones you need to comply with.

The SSP (System Security Plan) that you need to have, along with the Plan of Actions and Milestones (POA&Ms) is all you need to start working on your Implementation plan.

The Implementation plan has to consider your business objectives along with the urgency to certify your organization for CMMC 2.0 compliance.

If you must certify within 3 months, you would have to do more work daily for the next 2 months, than you would have to do if you needed to certify in a year. This might lead to increased hiring costs and purchasing costs, as some services and products cost more if you need to buy them in a rush. The same applies to hiring cybersecurity experts.

If you only need to comply with Level 1, you can write your SSP yourself.

You can also write your Implementation plan yourself, if your CMMC level is 1.

How to write your own SSP (System Security Plan)

The first step to writing your own SSP is listing all CMMC 2.0 requirements you are not yet in compliance with.

You will have to do this process yearly, even if you comply with all of them.

After you have the list, your next step is to detail the exact steps you and your team will have to take to comply with each requirement.

For example, Access Control, which is the most heavily impacted area of NIST 800-171 and CMMC 2.0 Level 1, covers the following control:

AC.1.001:AC.L1-3.1.1
Authorised Access Control
Limit information system access to authorised users, processes acting on behalf of authorised users, or devices (including other information systems).
• FAR Clause 52.204-21 b.1.i
• NIST SP 800-171 Rev 2 3.1.1

If this requirement is not met in your organisation, you have to list it with its identifier (AC.1.001:AC.L1-3.1.1) as per NIST 800-171.

Then, you must understand that this control is not a simple checklist item – it is a practice, which requires multiple elements and events for its completion.

Hint: Look at each requirement that your company does not comply with as a project, not as an item.

Here they are:

  1. Your access control methods and practices as well as the consequences for non-compliance must be described in your Information Security Policies and Procedures. You have those, right?
  2. You must have evidence of tracking your assets, both physical and digital.
  3. You must have evidence of granting and revoking access based on your policies and procedures.
  4. You must have a list of users.
  5. You must have a list of authorised users per asset and their level of access (user, admin, power user, etc).

Depending on the kind of information you process for the US DoD and the kind of projects you run, you might need to expect a lot more items than the five listed above.

Your SSP must include all requirements you need to comply with and all steps you plan to take to remediate any discrepancies.

You must be specific as to the deadlines and priorities you will follow – for example, which requirement is of higher priority and who will work on it.

You should also specify the available resources and your plans to procure additional resources if the ones present now are not enough to complete the entire project on schedule and within budget.

Share:

Facebook
Twitter
Pinterest
LinkedIn
On Key

Related Posts

WEBSITE SECURITY REPORT

GOLD

Imagine you own a house and want to add an additional floor. First you have to review and strengthen the foundations. This service builds cybersecurity foundations to facilitate growth in a resilient, timely manner.

This service will also provide the company with a cybersecurity risk assessment and improvement plan but with significantly more support from a senior consultant to help the company embed improvements in a continuous, timely manner

SILVER

The dreaded car MOT is looming. It’s the unforeseen wear & tear that results in some necessary annual maintenance. Our cybersecurity review will highlight what needs to be done as your engineers.

In addition to the context gathering stage and security footprinting service, a senior consultant will perform a risk assessment to understand the company’s cyber risks and provide recommendations. They will also be available to undertake monthly calls for answering questions, providing guidance and checking on whether risks are reducing.

BRONZE

You’re embarking on a more active lifestyle, chosen to go on a diet and get in shape. Think of this service as the cybersecurity equivalent of the personal trainer, helping you along the way.

After an initial context gathering stage, a junior security consultant will be available once per month to answer questions and provide recommendations based on company goals and activities. A cybersecurity footprinting service will allow the company to continuously monitor its external security posture.

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.