Definition
A System Security Plan (SSP) is a formal document that provides an overview of information system security requirements and describes the security controls in place or planned to meet those requirements. Required for federal systems under FISMA and for contractor systems under DFARS 252.204-7012 (using NIST 800-171), the SSP documents the system boundary, operational environment, security categorization, and implementation status of each required security control. The SSP serves as the baseline for security assessment and authorization decisions. For NIST 800-171 compliance, the SSP must describe how each of the 110 security requirements is implemented or explain why any requirements are not applicable. SSPs must be kept current and updated when system changes affect security posture.
Also Known As
- SSP
- Security Plan
- NIST 800-171 SSP
Examples
Common Mistakes to Avoid
- ✕Creating generic SSPs that don't reflect actual system implementation
- ✕Not updating SSPs when systems change
- ✕Documenting planned controls as implemented
Who Should Know This Term
System owners, security officers, ISSO, compliance managers
Official Source
NIST SP 800-18