Demystifying the CMMC System Security Plan (SSP)

Jason Puleri, CISSP, CMMC CCA

Coalfire Federal

An important part of the requirements for companies in the Defense Industrial Base (DIB) seeking Cybersecurity Maturity Model Certification (CMMC) is writing an effective System Security Plan (SSP). Federal Information Processing Standards (FIPS) 200 and numerous National Institute of Standards and Technology (NIST) Special Publications (SPs) define the System Security Plan as a “Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements” (1). 

The concept of an SSP is not new to CMMC. For example, the SSP requirement for CMMC is rooted, in part, in the NIST SP 800-18 rev1 Guide for Developing Security Plans for Federal Information Systems. This document was written in 2006, and as its name implies it was written for Federal Information Systems. Therefore, the major emphasis is meeting the minimum security requirements of FIPS 200 via implementation of NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. However, CMMC was designed to support non-federal companies in completing federal work and the system boundary guidance associated with 800-18  was not designed for commercial or non-federal systems.

Indeed, while numerous publications exist that can guide you in your journey to write an SSP, no previous guidance was written specifically to satisfy the requirements of CMMC, including the NIST 800-171 template. The NIST 800-171 template is a good starting point but alone, it is insufficient for achieving CMMC compliance and certification. 

DFARS clause 252.204-7012 and the recently released CMMC Proposed Rule both require DIB contractors to conduct and document an annual NIST SP 800-171 self-assessment and load the results to the Department of Defense’s Supplier Performance Risk System (SPRS).As part of this requirement, contractors are required to develop a System Security Plan (SSP) detailing the policies and procedures their organization has implemented.  This is the reason why many Organizations Seeking Certification (OSCs) have used the NIST 800-171 Rev 2 SSP template to complete an SSP as part of meeting compliance requirements. Therefore, the temptation exists to simply recycle this document or SSPs written for other frameworks used within the organization such as Payment Card Industry Data Security Standard (PCI DSS) or System Organization Controls (SOC) for the purpose of CMMC compliance. 

Depending on the template alone is insufficient for several reasons:

1. The template lacks the addition of asset categorization for CMMC.

The CMMC Level 2 Assessment Guide states “Prior to conducting a CMMC assessment, the contractor must specify the CMMC Assessment Scope. The CMMC Assessment Scope informs which assets within the contractor’s environment will be assessed and the details of the assessment. To specify the CMMC Assessment Scope, contractors will map their assets into one of the following five categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets” (2). Additionally, these assets (except for Out-of-Scope Assets), must be documented in the asset inventory and SSP.

2. Another requirement often overlooked is the identification of organizational security personnel.

The CMMC Proposed Rule states, “The SSP will also outline the roles and responsibilities of security personnel to ensure that CUI is appropriately protected” (3). The only roles identified in the SSP template are the Information Owner, System Owner, and System Security Officer. Simply following the SSP template may lead to shortcomings in this area since most organizations will need to list numerous additional or even a different set of personnel filling those roles according to the way security responsibilities are assigned and accomplished.

3. The SSP template only requires the addition of a network diagram/topology to detail the devices in your boundary.

However, those undergoing a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Joint Surveillance Assessment (JSVA) or CMMC assessment will need to provide an information flow diagram to show the flow and boundaries of CUI within their networks. As part of Phase 1 of the CMMC Assessment Process (CAP), the lead assessor will conduct the “CMMC Assessment Scope: the boundaries within an organization’s networked environment that contain all the assets that will be assessed. CMMC Assessment Scope is initially determined by the OSC and then validated by the C3PAO. More information on how to consider and determine an OSC’s proper CMMC Assessment Scope can be found in the DoD manual, CMMC Assessment Scope – Level 2”(4). A proper information flow diagram is not only essential for meeting this requirement but is crucial for properly scoping the CUI boundary. A network diagram or topology is not enough to determine the proper assessment scope for CMMC. Not getting it right can literally tank your assessment before it even starts. Additionally, several CMMC practices require the proper understanding, safeguarding, and documentation of the CUI information flow for compliance. 

4. Last but certainly not least, NIST 800-171R2 consists of basic and derived security requirements, CMMC is organized by practices and objectives.

A CMMC Level 2 assessment consists of 110 practices and 320 assessment objectives. From the Level 2 Assessment Guide “Assessment objectives are provided for each practice and are based on existing criteria from NIST SP 800-171A. The criteria are authoritative and provide a basis for a CMMC Certified Assessor to conduct an assessment of a practice” (2). The biggest problem with relying solely on the 171 SSP template, even the “CUI version,” is the absence of the assessment objectives.  For an assessor to “verify and validate the contractor has properly implemented the practices” (2), they must also examine how the corresponding objectives are met. If this cannot be done, organizations being assessed will not achieve the desired outcomes. Although no requirement exists for the assessment objectives to be addressed in the SSP, they must be addressed somewhere. Documenting the practices and objectives in the SSP should be done at a high level, complimented by detailed references documented in a comprehensive set of policies and procedures. These policies should be further broken down by practice family to organize the material in a logical and effective manner. Remember, the goal here is to present a compelling, easy to follow set of evidence rather than expecting an assessor to go on a treasure hunt to find answers. Thorough but concise, logically organized documentation is the key!

How Coalfire Federal Can Help You

Coalfire Federal’s certified CMMC advisors are all trained as assessors and accordingly, they know what good looks like when it comes to CMMC preparedness. Our advisors are prepared to conduct a comprehensive CUI boundary and gap analysis that benefits clients in numerous ways. A CUI boundary analysis will deliver important and often overlooked requirements that may be missing from your SSP. A properly scoped CUI boundary will provide an accurate and detailed list of CUI assets, making sure no stone is left unturned. Also, determining the flow of CUI through your organization will ensure the correct technology, information, personnel, and facilities that handle and secure CUI are identified and documented. Following the CUI Boundary, a Gap Analysis will walk your team through each of the 110 CMMC practices and 320 objectives, ensuring you not only have a comprehensive understanding of the requirements and where your organization’s level of compliance stands, but are also provided a “roadmap to compliance” to achieve your compliance goals. Contact us to learn more about how Coalfire Federal can be your trusted compliance partner. 


About the author

Jason Puleri

Jason Puleri is an experienced Senior Security Analyst at Coalfire Federal. During the week you can find Jason providing NIST 800-171 and CMMC advisory and assessment services and responding to various customer support inquiries. Jason believes operating with integrity and excellence are the key core values to enhancing the Defense Industrial Base’s (DIB) cybersecurity posture. Jason is a Certified CMMC Assessor (CCA), Certified Information System Security Professional (CISSP), holds a Masters Degree in Cybersecurity from Utica University, and has provided security services around the world as a U.S. Air Force veteran and government contractor. Outside of work, Jason enjoys mountain biking, traveling, and spending time with his family in beautiful Colorado.