How to prepare and write an SSP (System Security Plan) for business cyber continuity
The CMMC 2.0 certification process requires that you generate and follow an SSP (System Security Plan).
But that is not what you should start with!
Look at the graph below.
Your first step is to identify all risks as per NIST 171 and NIST 172 and your level of CMMC 2.0 (Levels 1, 2 or 3).
If you only have to comply with Level 1 of CMMC 2.0, then you will identify fewer risks, because you have to comply with less of the NIST 171 and NIST 172 requirements (just 15).
In contrast to the 15 requirements at Level 1, you would have to comply with 110 for Level 2 and 134 at Level 3!
In order to write your System Security Plan, you first need the results of your Risk Assessment.
Kloudwerk can assist you in running such as Risk assessment process for you – just contact us to discuss your needs.
The next step after the Risk Assessment is the Gap Analysis process. It identifies the failed requirements of the ones you need to comply with.
The SSP (System Security Plan) that you need to have, along with the Plan of Actions and Milestones (POA&Ms) is all you need to start working on your Implementation plan.
The Implementation plan has to consider your business objectives along with the urgency to certify your organization for CMMC 2.0 compliance.
If you must certify within 3 months, you would have to do more work daily for the next 2 months, than you would have to do if you needed to certify in a year. This might lead to increased hiring costs and purchasing costs, as some services and products cost more if you need to buy them in a rush. The same applies to hiring cybersecurity experts.
If you only need to comply with Level 1, you can write your SSP yourself.
You can also write your Implementation plan yourself, if your CMMC level is 1.
How to write your own SSP (System Security Plan)
The first step to writing your own SSP is listing all CMMC 2.0 requirements you are not yet in compliance with.
You will have to do this process yearly, even if you comply with all of them.
After you have the list, your next step is to detail the exact steps you and your team will have to take to comply with each requirement.
For example, Access Control, which is the most heavily impacted area of NIST 800-171 and CMMC 2.0 Level 1, covers the following control:
AC.1.001:AC.L1-3.1.1
Authorised Access Control
Limit information system access to authorised users, processes acting on behalf of authorised users, or devices (including other information systems).
• FAR Clause 52.204-21 b.1.i
• NIST SP 800-171 Rev 2 3.1.1
If this requirement is not met in your organisation, you have to list it with its identifier (AC.1.001:AC.L1-3.1.1) as per NIST 800-171.
Then, you must understand that this control is not a simple checklist item – it is a practice, which requires multiple elements and events for its completion.
Hint: Look at each requirement that your company does not comply with as a project, not as an item.
Here they are:
- Your access control methods and practices as well as the consequences for non-compliance must be described in your Information Security Policies and Procedures. You have those, right?
- You must have evidence of tracking your assets, both physical and digital.
- You must have evidence of granting and revoking access based on your policies and procedures.
- You must have a list of users.
- You must have a list of authorised users per asset and their level of access (user, admin, power user, etc).
Depending on the kind of information you process for the US DoD and the kind of projects you run, you might need to expect a lot more items than the five listed above.
Your SSP must include all requirements you need to comply with and all steps you plan to take to remediate any discrepancies.
You must be specific as to the deadlines and priorities you will follow – for example, which requirement is of higher priority and who will work on it.
You should also specify the available resources and your plans to procure additional resources if the ones present now are not enough to complete the entire project on schedule and within budget.
