System Security Plan (SSP) Outline Template | By Petronella Technology Group
This template provides the structure for a CMMC-compliant System Security Plan. The SSP is one of the most critical documents for CMMC assessment -- it describes your system boundaries, environment, and how each security requirement is implemented.
Document Control
| Field | Details |
|---|---|
| Organization | [Organization Name] |
| System Name | [Name of the information system / CUI enclave] |
| SSP Version | 1.0 |
| Date | [Date] |
| Prepared By | [Name, Title] |
| Classification | CUI // SP-SSP |
| Distribution | Limited to authorized personnel |
1. System Identification
1.1 System Name and Identifier
- System Name: [e.g., "Corporate CUI Enclave"]
- System Identifier: [Unique ID]
- System Owner: [Name, Title]
1.2 System Description
Provide a general description of the system's function and purpose.
[Describe what the system does, what type of information it processes, and its role in supporting organizational missions/business functions.]
1.3 System Type
- [ ] General Support System
- [ ] Major Application
- [ ] Cloud-Based System
- [ ] Hybrid
1.4 CMMC Level
- [ ] Level 1 (Foundational)
- [ ] Level 2 (Advanced)
- [ ] Level 3 (Expert)
2. System Environment
2.1 System Boundary
Define what is inside the system authorization boundary.
[Describe the logical and physical boundaries of the system. Include network segments, physical locations, and cloud tenants.]
2.2 Network Architecture
Attach or reference network diagrams.
- Network Diagram Reference: [Appendix X or filename]
- Key Network Segments:
- [Segment 1: Description, VLAN, IP Range]
- [Segment 2: Description, VLAN, IP Range]
- [DMZ: Description]
2.3 Data Flow Diagram
Describe how CUI flows through the system.
- Data Flow Diagram Reference: [Appendix X or filename]
- CUI Entry Points: [How CUI enters the system]
- CUI Storage Locations: [Where CUI is stored at rest]
- CUI Exit Points: [How CUI leaves the system]
2.4 Hardware Inventory
| Asset Name | Type | OS/Firmware | Location | CUI Asset? | Owner |
|---|---|---|---|---|---|
| Server | Yes/No | ||||
| Workstation | Yes/No | ||||
| Network Device | Yes/No | ||||
| Mobile Device | Yes/No |
2.5 Software Inventory
| Software | Version | Purpose | Vendor | License |
|---|---|---|---|---|
2.6 Ports, Protocols, and Services
| Port | Protocol | Service | Direction | Justification |
|---|---|---|---|---|
| 443 | TCP/TLS | HTTPS | Inbound/Outbound | Web traffic |
| 22 | TCP/SSH | Remote admin | Inbound | System administration |
3. System Interconnections
| Interconnected System | Organization | Type | Agreement | Description |
|---|---|---|---|---|
| ISA/MOU/SLA | ||||
4. CMMC Assessment Scope -- Asset Categories
4.1 CUI Assets
Assets that process, store, or transmit CUI.
| Asset Name | Type | CUI Data Types | Location |
|---|---|---|---|
4.2 Security Protection Assets
Assets that provide security functions for the scope.
| Asset Name | Type | Security Function | Location |
|---|---|---|---|
| Firewall | Boundary protection | ||
| SIEM | Audit logging | ||
| AD/IdP | Authentication |
4.3 Contractor Risk Managed Assets
Assets that can, but are not intended to, process CUI.
| Asset Name | Type | Risk Management Control | Location |
|---|---|---|---|
4.4 Specialized Assets
IoT, OT, GFE, test equipment.
| Asset Name | Type | Specialized Category | Assessment Criteria |
|---|---|---|---|
5. Roles and Responsibilities
| Role | Name | Responsibilities |
|---|---|---|
| System Owner | Overall system security responsibility | |
| Information System Security Officer (ISSO) | Day-to-day security operations | |
| IT Administrator | System administration and maintenance | |
| Network Administrator | Network operations and security | |
| Security Awareness Training Manager | Training program management | |
| Incident Response Lead | Incident detection and response |
6. Security Control Implementation
For each CMMC practice, describe how it is implemented in your specific environment. Do not use generic statements -- assessors need to see how the control works in YOUR system.
Template for Each Practice
### [Practice ID] -- [Requirement Title]
**Requirement:** [Full text of the requirement]
**Implementation Status:** MET / NOT MET / PARTIAL
**Implementation Description:**
[Describe specifically how this control is implemented in your environment.
Include: what tool/technology, how it is configured, who manages it,
and how you verify it is working.]
**Evidence/Artifacts:**
- [Document, screenshot, configuration export, etc.]
- [Policy name and section]
- [Tool dashboard or report]
**Responsible Role:** [Who manages this control]
6.1 Access Control (AC)
[Document each AC practice using the template above]
6.2 Awareness and Training (AT)
[Document each AT practice]
6.3 Audit and Accountability (AU)
[Document each AU practice]
6.4 Configuration Management (CM)
[Document each CM practice]
6.5 Identification and Authentication (IA)
[Document each IA practice]
6.6 Incident Response (IR)
[Document each IR practice]
6.7 Maintenance (MA)
[Document each MA practice]
6.8 Media Protection (MP)
[Document each MP practice]
6.9 Personnel Security (PS)
[Document each PS practice]
6.10 Physical Protection (PE)
[Document each PE practice]
6.11 Risk Assessment (RA)
[Document each RA practice]
6.12 Security Assessment (CA)
[Document each CA practice]
6.13 System and Communications Protection (SC)
[Document each SC practice]
6.14 System and Information Integrity (SI)
[Document each SI practice]
7. Continuous Monitoring Strategy
Describe how security controls are monitored on an ongoing basis.
| Control Area | Monitoring Method | Frequency | Responsible |
|---|---|---|---|
| Access Control | Access review | Quarterly | |
| Vulnerability Management | Automated scans | Monthly | |
| Configuration | Baseline comparison | Quarterly | |
| Audit Logs | SIEM review | Continuous | |
| Malware Protection | Console monitoring | Daily | |
| Patch Management | Compliance reports | Monthly |
8. Plans of Action and Milestones (POA&M)
Reference the POA&M document for any controls that are not fully implemented.
- POA&M Document Reference: [Filename or Appendix]
- Number of Open POA&Ms: [Count]
- Target Date for Full Compliance: [Date]
9. Appendices
- Appendix A: Network Architecture Diagram
- Appendix B: Data Flow Diagram
- Appendix C: Hardware Inventory (detailed)
- Appendix D: Software Inventory (detailed)
- Appendix E: Ports, Protocols, and Services (detailed)
- Appendix F: Interconnection Agreements
- Appendix G: POA&M
10. Document Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| System Owner | |||
| ISSO | |||
| Senior Management |
Need help developing your SSP? Contact Petronella Technology Group -- CMMC Registered Practitioner on staff.