System Security Plan for 800-171 and CMMC

This video by Amira Armond / CMMCAudit.org is a free one hour training on how to create a high quality System Security Plan (SSP).

PLEASE NOTE: This video was recorded in mid-2021! It includes references to “CMMC Level 3” which was the standard for Controlled Unclassified Information back in 2021. CMMC now uses “Level 2” for protection of Controlled Unclassified Information. This does not significantly change how you write a system security plan. The #1 difference is that the NIST template with 800-171 requirements is MORE accurate now than it was when this video was recorded.

Why do we need a System Security Plan (SSP)?

Having a System Security Plan is required by NIST SP 800-171 , CMMC Level 2 and above. The NIST SP 800-171 DoD Self Assessment should not be performed without a system security plan, per DoD instructions.

Training for CMMC and NIST SP 800-171

This video is provided for educational and training purposes only. We highly recommend engaging with a qualified cybersecurity practitioner to create your system security plan and perform self assessments. In our opinion, only senior level IT professionals or intermediate level cybersecurity practitioners have the background necessary to fully understand the requirements in 800-171 and CMMC Level 2.

References

NIST website for 800-171 Rev 2

DoD CMMC website: https://dodcio.defense.gov/CMMC/

CMMCaudit.org’s network diagrams (scope) article

dodcui.mil

archives.gov/cui

NIST website for 800-18 Guide for Developing a Security Plan

NIST SP 800-171 DoD Assessment Methodology

Thanks for watching and up-voting!

If this was helpful to you, please share this page or the video with others. If you see any wrong information, or want to add some tips, please comment!

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions LLC is in progress to become a CMMC assessment organization and has several Registered Practitioners and Certified Assessor candidates on staff. Amira is also the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification. 

5 thoughts on “System Security Plan for 800-171 and CMMC

  1. InterestedReader says:

    Hi all, I know this is for SSP – System Security Plan, but where could I find some information, videos, samples, anything on writing a Resource Plan?
    Thank you all.

  2. Mark Stoops says:

    Amira – good discussion. With CMMC looming, we are working toward an SSP that covers the system(s) and all the big picture stuff; but we are thinking about pulling the 17 controls families (along with the controls) out of the SSP body and speaking to them each as addendums to the SSP. So we would have 17 addendums that get specific on the controls for the family. The idea is to keep the SSP at a higher level and not clutter it with all the details about control implementation. I’m curious if you have heard of this idea -or- if you have thoughts on it.
    Thanks,
    Mark

    • Amira Armond says:

      Hello Mark,
      In large companies with complex information systems, it is common to have several SSPs which cover different aspects of the system, which are all related to a higher level SSP. There is no requirement for using a single document. Do what makes the most sense for your business.

  3. Michael S. McLaughlin says:

    Hello Amira. Believe me, we “little guys” really appreciate your help!

    I’ve got one comment about the NIST SP 800-171 template CUI-SSP-Template-final.docx. It still has an error in it that I’m not really sure how to get fixed…but I’ll bet you have a good idea! Section 3.3 and 3.4 both list the titles as “Audit and Accountability.” Section 3.3 is actually Audit and Accountability. Section 3.4 is actually “Configuration Management” and should be changed.

    Thanks again for all of the education you do!

    Mike

Leave a Reply

Your email address will not be published. Required fields are marked *