System Security Plans Explained

To meet NIST SP 800-171 requirements you must create and maintain a system security plan (SSP).

Join our newsletter:

Why Do You Need a System Security Plan?

If your company is required to implement NIST SP 800-171 security controls then you are required to create and maintain a system security plan. NIST SP 800-171 security control 3.12.4 requires that you “Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”
A system security plan is also the document that an assessor or the government will review when they are assessing the security of your information system.

What is a System Security Plan?

According to the NIST glossary a system security plan is a “formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.”

How Do You Create a System Security Plan?

Although there is no required format in which your system security plan (SSP) must be, there is a CUI SSP Template available on the NIST website. Your system security plan should have all of the sections from the NIST SSP template.

How to Get a Free Vendor Neutral System Security Plan

We have a vendor neutral system security plan that is already filled out. All you need to do is modify it to meet your needs. Please send us an email at to request the template.

System Security Plan Sections Explained:

We have a vendor neutral system security plan that is already filled out. All you need to do is modify it to meet your needs. Please send us an email at to request the template.
What is the System Name in an SSP?
The system name is the name of your information system used to support your DoD contract work. For most small businesses this will be their entire IT infrastructure unless they create a separate infrastructure for DoD related work. So where do you get the name for your system? You can create any name you wish to describe your system. A common example would be YOURCOMPANYNAME_DEFENSE.
What is the System Categorization in an SSP?
The system categorization determines the level of impact Security categorization provides a structured way to determine the criticality and sensitivity of the information being processed, stored, and transmitted by an information system. The security category is based on the potential impact (worst case) to an organization should certain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets and individuals, fulfill its legal responsibilities, and maintain its day-to-day functions.
What is the System Unique Identifier in an SSP?
The system unique identifier helps identify your system. You can create your own system identifier. It can be alphanumeric.
Who is the Responsible Organization in an SSP?
The responsible organization is your company and it’s contact information.
Who is the Information Owner in an SSP?
The Government point of contact responsible for providing and/or receiving CUI is the information owner.
Who is the System Owner in an SSP?
The person or organization having responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system. In general this will be the IT director at your company.
Who is the System Security Officer in an SSP?
The person with assigned responsibility for maintaining the appropriate operational security posture for an information system or program. In general this is a senior person from your IT department.
What is the General Description/Purpose of the system in the SSP?
This is where you provide a paragraph where you briefly explain your IT infrastructure and the missions it supports. For example you can explain that you have 20 laptops, 2 file servers, a firewall, and cloud services and discuss how these systems support business operations.
What is the number of end users and privileges users?
Create a table where you provide the approximate number of users and administrators of the system. Include all those with privileged access such as system administrators, database administrators, application administrators, etc. Add rows to define different roles as needed.
What is the General Description of Information in the SSP?
This documents the CUI information types processed, stored, or transmitted by the system are determined and documented. For more information, see the CUI Registry.
What is the System Environment in an SSP?
The system environment where you create a network diagram or topology to illustrate your information system. You need to have a narrative that explains the diagram.
What is the Hardware Inventory in an SSP?
It is a complete and accurate listing of all hardware (a reference to the organizational component inventory database is acceptable) and software (system software and application software) components, including make/OEM, model, version, service packs, and person or role responsible for the component.
What is the Software Inventory in an SSP?
It is a document that lists all software components installed on your information system.
What is Hardware and Software Maintenance and Ownership in an SSP?
This is where you state if you have any external IT service providers or other organizations who maintain your hardware or software.
What is the requirements section in an SSP?
This is where you provide a thorough description of how all of the security requirements are being implemented or planned to be implemented.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.