System Security Plan (SSP) Template
NIST SP 800-171 Rev 3 Compliance
Document Control
| Field | Value |
|---|---|
| Document Title | System Security Plan |
| System Name | [System Name] |
| Organization | [Organization Name] |
| Version | 1.0 |
| Date | [Date] |
| Author | [Name/Title] |
| Classification | CUI // SP-SSP |
| Next Review Date | [Date -- quarterly minimum] |
Revision History
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0 | [Date] | [Name] | Initial SSP |
1. System Identification
1.1 System Name and Description
System Name: [Official name]
System Description: [Describe the system's purpose, what it does, what data it processes, and why it exists. Include the business functions it supports.]
System Type: [ ] General Support System [ ] Major Application [ ] Cloud-based [ ] Hybrid
1.2 System Categorization
CUI Categories Processed: [List specific CUI categories -- e.g., CTI, ITAR, EXPT, PRVCY]
Impact Level: [ ] Low [ ] Moderate [ ] High
1.3 System Owner
| Role | Name | Title | Contact |
|---|---|---|---|
| System Owner | [Name] | [Title] | [Email/Phone] |
| Information Owner | [Name] | [Title] | [Email/Phone] |
| Security Officer | [Name] | [Title] | [Email/Phone] |
2. System Environment
2.1 System Architecture
[Include network architecture diagram showing all components within the system boundary, connections to external systems, and data flows. Clearly mark the authorization boundary.]
2.2 Hardware Inventory
| Asset Name | Type | Location | IP Address | Function | CUI Contact |
|---|---|---|---|---|---|
| [Name] | Server/Workstation/etc. | [Location] | [IP] | [Purpose] | Yes/No |
2.3 Software Inventory
| Software | Version | Vendor | Function | License |
|---|---|---|---|---|
| [Name] | [Ver] | [Vendor] | [Purpose] | [Type] |
2.4 Network Architecture
[Describe network topology, VLANs, segmentation, firewalls, and how the CUI boundary is isolated from non-CUI systems.]
2.5 Data Flow
[Describe how CUI enters the system, moves through it, and exits. Include data-at-rest and data-in-transit considerations.]
3. System Interconnections
| Connected System | Organization | Connection Type | Data Exchanged | Authorization |
|---|---|---|---|---|
| [System] | [Org] | [VPN/API/etc.] | [CUI types] | [ISA/MOU ref] |
4. Security Requirement Implementation
For each of the 110 NIST 800-171 requirements, document how it is implemented in your environment. Include specific tools, configurations, and policies.
4.1 Access Control (AC)
03.01.01 -- Account Management
- Implementation Status: [ ] Implemented [ ] Partially [ ] Planned [ ] N/A
- Implementation Description: [How do you limit system access to authorized users? Describe the specific mechanisms -- Active Directory groups, RBAC roles, access request/approval process, periodic access reviews.]
- Evidence: [Reference specific policies, configurations, or tool outputs]
- ODP Values: [Organization-defined parameters, if applicable]
[Repeat for each requirement in this family...]
4.2 Awareness and Training (AT)
[Repeat pattern for each family...]
[Continue through all 17 control families and 110 requirements]
5. Continuous Monitoring Strategy
5.1 Monitoring Activities
| Activity | Frequency | Tool/Method | Responsible |
|---|---|---|---|
| Vulnerability scanning | Weekly | [Tool] | [Role] |
| Configuration compliance | Monthly | [Tool] | [Role] |
| Log review | Daily (automated) | [SIEM] | [Role] |
| Access review | Quarterly | [Process] | [Role] |
| Penetration testing | Annual | [Provider] | [Role] |
| Security assessment | Annual | [Provider] | [Role] |
5.2 Reporting
| Report | Frequency | Audience | Owner |
|---|---|---|---|
| Security dashboard | Real-time | SOC/IT | [Role] |
| Monthly security summary | Monthly | Management | [Role] |
| Quarterly compliance report | Quarterly | Executive | [Role] |
| Annual assessment report | Annual | Executive/Board | [Role] |
6. Plan of Action and Milestones
All identified gaps are tracked in the POA&M document. See poam-template.md.
Current SPRS Score: _ / 110 Target SPRS Score: / 110 Target Date: _
7. Approval
| Name | Title | Signature | Date |
|---|---|---|---|
| [System Owner] | [Title] | ___ | _ |
| [Security Officer] | [Title] | ___ | _ |
| [Authorizing Official] | [Title] | ___ | _ |
Template provided by Petronella Technology Group. For SSP development assistance, contact 919-348-4912.