A System Security Plan (SSP) is crucial to your organization’s third-party risk management. First, it standardizes risk assessments and due diligence questionnaires so that organizations can better evaluate third-party risk. Second, it also standardizes the risk rating and scoring so your organization can evaluate the risks from different vendors. Finally, SSPs promote continuous monitoring of your system and provide an outline of steps organizations can take to remediate any security gaps.

What is a System Security Plan (SSP)?

A System Security Plan is a formal document that protects your organization’s IT system and ensures confidentiality, integrity, and availability of controlled, unclassified information or controlled unclassified information (CUI). CUI is a specific class of data that is related to data generated or in the possession of the U.S. federal government.

NIST defines an SSP as: “A formal document that provides an overview of the security requirements for an information security program and describes the security controls in place or planned for meeting those requirements.”

System Security Plans include information such as:

  • The types of CUI your organization handles.  
  • The security controls that are in place to safeguard CUI and any controls that are needed in the future. 
  • Goals or strategies for your organization’s cybersecurity program such as implementing cybersecurity awareness training for employees or incident response preparedness. 
  • An incident response plan. Details on how your organization would respond in the event of a breach or other security incident to ensure the quickest response possible.

SSPs are important because they help align your entire organization around a set of security controls, provide a foundation for risk management and are a proactive defense strategy against future data breaches, exfiltration and other attacks.

Why are SSPs Important for NIST 800-171 and CMMC Compliance?

SSPs help to provide legal protection in the event of a security incident by meeting certain compliance standards and frameworks such as NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC). It is a proactive strategy for risk mitigation as it serves as a guideline for how the organization deals with CUI and how it would respond in the event of a cybersecurity incident. In the event legal proceedings do ensue, however, the SSP serves as a comprehensive document with a list of the security controls implemented and defend against claims of non-compliance, reducing penalties.

System Security Plans for NIST 800-171 Compliance

Organizations implementing a System Security Control for NIST 800-171 compliance must be aware of the latest requirements. NIST SP 800-171 includes requirements for protecting CUI data and is required by any organization wishing to do business with the U.S. federal government. The latest version of NIST SP 800-171, version 3.0, includes three additional control families with the goal of strengthening supply chain risk management. In addition, the number of required security controls decreased, but the number of assessment points increased.

System Security Plans for CMMC Compliance

In 2021, the Department of Defense announced version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) which requires organizations to implement a System Security Plan. The CMMC is a framework designed to strengthen the cybersecurity of organizations that do business with the U.S. federal government. It includes 17 different domains, most of which are based on NIST 800-171 and Federal Information Processing Standards (FIPS) 200, but it adds three additional domains: recovery, situational awareness and asset management.

The CMMC is different from NIST 800-171 because it requires external third-party assessments to ascertain whether the relevant NIST standard has been met. It also includes five different levels of maturity, or levels of certification. In the original CMMC framework, organizations that seek level 2 certification and above were required to implement a System Security Plan for their organization.

How to Develop a System Security Plan

Regardless of the reason for developing your SSP, you’ll need to take the proper steps to implement it. These steps will be slightly different depending on the type of SSP you decide to implement (e.g. organizational, issue or system specific, etc).

General steps of SSPs include:

  1. Determine the scope. Which regulatory compliance requirements are you trying to meet? What systems store or process CUI? Which roles in your organization are involved in CUI? 
  2. Gather your data and documentation. Locate the documentation that explains the current cybersecurity situation for the scope you’ve determined above. 
  3. Define your goals. Your cybersecurity goals should also include metrics such as the time it takes to detect and respond to incidents; percentage of patched systems; and incidence response time. 
  4. Identify the necessary security controls. You’ll need to determine the current security controls in place, any gaps that exist in your current cybersecurity plan and any new security controls that could help close those gaps. 

Implement continuous monitoring. Once your SSP is implemented, you’ll need to put a system in place to maintain compliance and improve your cybersecurity posture. This should include procedures for vulnerability management, log analysis and deploying intrusion detection systems (IDS).

How Panorays Helps You Manage Third Party Risk

Panorays delivers a contextual approach to third-party cyber risk, allowing you to customize your risk models according to different factors. With Panorays, you can implement an SSP that accurately identifies third-party risk and strengthens your security posture to address future threats.

Its comprehensive assessments for third-party risk include:

  • Supply Chain Discovery and Mapping. Automatically discover unknown third, fourth, and n-th parties in your supply chain and define the relationship between your organization and each third party. 
  • Risk DNA Assessment. Conduct both internal and external assessments of your third parties and determine each supplier’s risk appetite. Risk DNA also takes into account all third-party breach history and generates AI-driven predictions for future data breaches. All of these elements work together to deliver the most accurate cyber risk rating of your third parties on the market today.
  • Continuous Threat Detection. Leverage third-party threat intelligence and a contextualized view of your supply chain to get alerts of any relevant data breaches or supply chain attacks from third parties.
  • Remediation and Collaboration. Close supplier gaps immediately with an aggregated remediation plan for each vendor. Each plan takes into consideration your risk appetite, critical findings and potential business impact of each risk.

Want to learn more about how Panorays can help you manage third-party risk? Get a demo today!