.avif)
.webp)
.png)
Introduction
If you do business with the federal government, then you know that you are required to comply with the National Institute of Standards and Technology (NIST) 800-171 standard. This standard outlines the minimum requirements for protecting Controlled Unclassified Information (CUI) housed in non-federal systems and organizations. In order to comply with this standard, you must develop and implement a System Security Plan (SSP).
.png)
What is a System Security Plan?
A System Security Plan is a document that outlines the security controls and procedures in place to protect CUI. The SSP is tailored to fit the specific needs of your company and addresses the 14 families that are broken into 110 security controls outlined in NIST 800-171. During an assessment by your customer, the DoD, or a CMMC assessor, they will refer to the NIST SP 800-171A (auditor guide), which evaluates the 320 assessment objectives for these 110 controls. To demonstrate compliance, you’ll need to provide 2 out of 3 types of evidence for each assessment objective: something the assessor can examine, someone they can interview, or something they can test.
Why Do I Need a System Security Plan?
A System Security Plan is required in order to do business within the Aerospace and Defense industry. If you want to bid on or participate in a federal contract, then you must be able to demonstrate that you have adequate security measures in place to protect CUI in your contract. The SSP documents how your company has implemented the controls outlined in NIST 800-171.
In order to contract with the US Military or win a subcontract from a prime contractor in 2022 companies need to prove compliance with DFARS 7012 cybersecurity requirements which require a SSP for NIST 800-171.
Who Checks My System Security Plan?
The Department of Defense verifies compliance with this requirement through 3 different methods :
- Basic Assessments - A self-assessment of the contractor’s implementation of NIST SP 800-171 that is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s) and is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology. All companies within the Defense Industrial Base handling CUI need to conduct a self assessment at minimum. To complete a self assessment - a system security plan is mandatory.
- Medium Assessments - An assessment conducted by the Government that consists of a review of a contractor’s Basic Assessment, a thorough document review (including the System Security Plan), and discussions with the contractor to obtain additional information or clarification, as needed. As of 2022, the Department of Defense is actively conducting Medium Assessments to verify contractor’s Low Assessments.
- High Assessments - An assessment conducted by Government personnel using NIST SP 800-171A that consists of a review of a contractor’s Basic Assessment, a thorough document review; Verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan; and discussions with the contractor to obtain additional information or clarification, as needed. The Department of Defense has been conducting High Assessments prior to 2022.
Prime contractors also conduct their own assessments on their vendors to verify they are fulfilling the obligations on their contract. Many prime contractors conduct reviews of a vendor's SSP to verify compliance.
How Do I Create a System Security Plan?
There are three methods of creating a system security.
- In House - There is no one-size-fits-all approach to developing an SSP. The best way to get started is by taking inventory of the systems and data that need to be protected. Once you have a good understanding of your environment, you can start mapping out the security controls that need to be implemented. This is not recommended unless your company has an IT professional on your staff.
- Hiring a Consultant - Similar to the option above, you will hire a consultant to serve as your IT professional. This process can be cumbersome and high cost as you will be requiring a third party to custom build cybersecurity for your company.
- Using Atomus Aegis - Atomus has built software that automates the process of implementing NIST 800-171 technical controls. As a result we can autogenerate large portions of the system security plan and custom tailor the remaining sections to your company. This works extremely well for small businesses but is not a good option for large companies.
Conclusion
A well-developed SSP is essential for any organization that wants to do business with the federal government. An SSP outlines the security controls and procedures that are in place to protect CUI and ensures that your organization is compliant with NIST 800-171. Developing an SSP can seem daunting, but it doesn't have to be.
Need help getting started on your SSP? Our team of security experts can help you every step of the way. Contact us today to get started.
.webp){kind=icon}
