In 2020 the U.S. Department of Defense (DoD) declared that any business providing products or services to the DoD or its supply chain will need to begin compliance with a new cybersecurity standard, the Cybersecurity Maturity Model Certification (CMMC).
As part of CMMC compliance, businesses will also need to have a System Security Plan (SSP) in place. That requirement is spelled out in several regulations: CMMC provision CA.2.157; NIST 800-171 security requirement 3.12.4, and DFARS 7012.
Specifically, a business covered by any of those rules must:
“develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”
This requirement was designed to assure that contractors or suppliers for the DoD have sufficient security controls in place, and prioritize security along with other top considerations like safety and quality.
So to answer the original question: Yes you need a system security plan that meets CMMC requirements if you fall under CMMC levels 2 or higher.
Before we get into what SSPs are, what’s included in one, and how you can create one, let’s briefly review the different levels of CMMC.
The 5 Levels of CMMC Certification
CMMC Level 1 – Basic Cyber Hygiene
To pass an audit at this level, DoD contractors must implement 17 controls of NIST 800-171 Rev 1.
CMMC Level 2 – Intermediate Cyber Hygiene
To pass an audit at this level, DoD contractors must implement another 48 controls of NIST 800-171 Rev 1 plus seven more controls specified under “Other controls.”
CMMC Level 3 – Good Cyber Hygiene
At this level, DoD contractors must implement the final 45 controls of NIST 800-171 Rev 1 plus 13 more controls specified under “Other controls.”
CMMC Level 4 – Proactive Cybersecurity
At Level 4 certification, DOD contractors must implement 11 more controls of NIST 800-171 Rev 2 plus another 15 controls specified under “Other controls”.
CMMC Level 5 – Advanced/Progressive Cybersecurity
To achieve this highest level of compliance, DoD contractors must implement the final four controls in NIST 800-171 Rev 2, plus 11 more controls specified under “Other controls”.
Now we can now move on to the concept of SSPs.
What are SSPs?
A system security plan (SSP) is a document that defines how an organization enforces its security requirements.
The goal of an SSP is to provide transparency into a DoD contractor or subcontractor’s cybersecurity stance, through a written explanation of its security requirements and the controls implemented for safeguarding controlled, unclassified information (CUI).
What is included in an SSP?
Your SSP should include an overview of the following:
- The roles and responsibilities of every member of the organization’s security team
- A detailed explanation of the information security standards the organization complies with
- High-level diagrams that depict how connected systems work with one another
- An outline of defense strategies
- Interface and network protocols
While an SSP is a high-level overview, it should incorporate enough detail to guide the reader through the design and execution of the organization’s systems.
How do I create an SSP for CMMC?
To help you get started creating your SSP, follow these steps:
Step 1: Gather documentation
Gather all documentation that details your existing cybersecurity program and is relevant to a CMMC or NIST 800-171 compliance assessment. Check with any relevant stakeholders to assure that the documentation is up to date.
Step 2: Identify the gaps
Next, identify the gaps between your existing documentation and what’s required according to the CMMC, NIST, and DFARS clauses.
Step 3: Fill the gaps
You will need to implement a compliance program to create any remaining documentation or cybersecurity requirements that you’re currently lacking.
Step 4: Compile your SSP
Per Defense Department recommendations, you must then organize all your documentation into an SSP template to assure that you’re ready when the time comes for a compliance audit.
How ZenGRC can help you build your SSP
Running a CMMC assessment and designing an appropriate system security plan can be a challenging undertaking, but the requirements are pretty clear: no SSP means no Defense Department contract.
You need to be sure that your organization has done its due diligence to comply with all applicable NIST SP, DFARS, and CMMC compliance requirements. As your organization grows, this simply can’t be done with a collection of Excel spreadsheets.
ZenGRC can help assure that your organization meets all requirements for CMMC certification and accreditation.
Our templates make baseline self-assessments a breeze, while our easy-to-use, central dashboard provides an integrated view of your compliance stance, across all applicable frameworks, showing you where the gaps are in your cybersecurity program and how to fill them.
ZenGRC stores and organizes all related documentation, so it’s readily available in the event of an audit by compliance assessors.
ZenGRC can support a variety of compliance networks aside from those mentioned here, including FedRAMP, HIPAA, COSO, and others.
Worry-free compliance and risk management is the Zen way! Learn how ZenGRC can help you achieve your CMMC and SSP requirements by booking a demo today.