Compliance with federal cybersecurity guidelines is three things:
- Sensible for all service providers, as a baseline minimum for good security practices.
- Absolutely required for any cloud service provider looking to work with a federal agency.
- Taken very seriously.
It’s also a very complex set of rules, guidelines, and standards that address everything from the physical security of your servers and network access to the training your employees receive.
On top of that, it’s packed full of acronyms and definitions, all of which have specific meaning. SSP is one of them; it’s a critical document you need to win contracts with the government and is part of the CMMC.
So, what are those? Let’s dig in, discuss what they are and why you need them, and finally, how to put one together.
What is CMMC?
Let’s start at the top: what is the CMMC?
The CMMC is the Cybersecurity Maturity Model Certification. CMMC is a program designed by and for the Department of Defense, and it applies to any company that wants to work as a contractor for the Department of Defense itself or any of its supply chain partners. That means if your services company wants to work with the DoD directly, you need to comply with the CMMC. It also means that if you want to work with another company that itself works with the DoD, you need to comply with the CMMC as well.
In order to be certified under the CMMC program, you need to comply with DFARS: the Defense Federal Acquisition Regulation Supplement. DFARS requires that your company have two important documents: SSP and POAM. We’ve covered POAM, the Plan of Action and Milestones document, already.
To understand what an SSP is, first you need to understand how government cybersecurity certification works.
The various controls and requirements for modern cybersecurity best practices are outlined in the National Institute of Standards and Technology (NIST) document 800-171. We’ve covered this document in detail before here. It’s a detailed document and there are over 100 different controls that are important to government security.
One of the greatest weaknesses of NIST SP 800-171 is that, for most federal government contracts, the low priority of information and the relative lack of review means that most service providers are simply allowed to self-certify. While periodic spot-checks can occur, most of the time, the government agencies will take a company at their word; after all, if a breach happens and it turns out the company lied about their adherence to the security standards, there will be hell to pay.
That may work for a subcontractor of the prime contractor or medium size org, but the department of defense has taken a stronger stance. They – and their supply chain – are frequently the target of all manner of attacks, from cyberespionage to spear-phishing to brute force attacks. They can’t afford lax security, even among secondary contractors.
Thus, the CMMC was created. It’s essentially a Department of Defense initiative to address the vulnerability of simple adherence to NIST SP 800-171 without third-party overview, auditing, and certification. The SSP is a critical part of this process.
What is an SSP?
An SSP is a System Security Plan. It’s a comprehensive document that is kept updated periodically as both standards and business practices change. It outlines all of the security controls that your organization has in place to adhere to CMMC and NIST SP 800-171 control requirements. It addresses each control along three axes; the confidentiality, the integrity, and the availability of controlled unclassified information and other sensitive data within your organization.
The NIST has a number of different definitions of the SSP, but in general, this is what they say:
“Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems.”
In broad strokes, the purpose of the SSP is to be a resource that auditors can use to evaluate your business’s cybersecurity posture – that is, the state of security within and surrounding your systems – in a readable and relatively simple way.
What information is included in an SSP? It can vary, but you will often find:
- Specifics about the scope of your system and your components.
- A review of each NIST control that you have in place to meet the requirements of CMMC.
- Descriptions of the kinds of information your organization handles.
- Discussions of how your organization handles and uses that information.
- Information about network configurations and access controls.
- Details on connections to other systems and how they’re secured.
- Contingency and incident response procedures and plans.
- Any additional security standards or frameworks you comply with.
- The specific roles and responsibilities of members of the security team.
- Detailed references and citations of specific cybersecurity policies.
- Diagrams showing how your network and systems communicate and handle information.
- Overall goals, such as implementing defense-in-depth strategies.
As you can already tell, the SSP is both a very serious document and a very detailed document. It’s not something your company puts together over a weekend to apply for government contracts; it’s a complete rundown and review of your organization, top to bottom, inside and out, including a comprehensive overview of how you handle any and all information and how that information is protected.
Finally, the SSP should also acknowledge what, if any, gaps exist in the implementation of security controls, and the goal to implement them. The specific process and timeline for that implementation is covered in the POAM, but the SSP should reference the existence of the POAM in specificity.
What Companies Need an SSP?
Any company that wants to work with the Department of Defense or a contractor in the Department of Defense supply chain is required to adhere to the CMMC framework, and thus needs an SSP.
Examples include:
- Defense suppliers.
- Colleges and universities that work with the government.
- Any other government agency.
- Prime contractors for the Department of Defense.
- Companies within the overall Defense Industrial Base that handle CUI.
- Any cloud services provider looking to obtain a FedRAMP Authority to Operate.
Additionally, the Federal Information Security Management Act, or FISMA, requires that all US government agencies and all third-party partners to those agencies create an SSP under the FedRAMP Program. Over time, more and more government certifications and contract clauses are requiring SSPs.
How to Create a Certifiable SSP
The actual process for creation a System Security Plan requires extreme attention to detail and a comprehensive knowledge and documentation of your company and its processes. Fortunately, there are a number of tools and platforms available – like Ignyte Platform – that can help. Overall, here’s the process.
Step 1: Define your organization’s scope.
The scope of the SSP is perhaps the hardest part of creating the SSP. If your scope ends up too small, you’ll need to go back and start over with a broader scope when you encounter a problem.
What’s included in the scope of the SSP? It’s a list of the systems, data, physical assets, and virtual assets that will be covered by the CMMC and its security controls.
You can define your scope by tracing how you handle information. If you win a DoD contract and are able to access Controlled Unclassified Information (CUI), where does that information go? Who handles it, what physical machines touch it, what software touches it, and how is it handled, processed, and stored? All of this, when defined, becomes the list of systems and assets that need to adhere to overall security controls.
Scope also involves identifying which standards, like NIST SP 800-171, you will need to implement. For most potential DoD contractors, NIST SP 800-171 is the guiding light. However, in some circumstances, you may have additional controls and security systems you will need to implement on top of the standard list of controls. These are generally specified in the kinds of contracts you’re seeking and will be related to the agency you work with and the services you provide such as specified CUI for protecting U-NNPI (Naval Nuclear Propulsion Information.
Step 2: Gather documentation.
If your company is considering governmental agency contracts, chances are you aren’t a fly-by-night startup just winging it as you go. You likely have some degree of cybersecurity best practices and company policies already in place. So, your next step is to gather up all documentation about those current policies and security processes. You don’t need everything your company has; just what is relevant to the scope of your SSP.
Make sure all of this documentation is up to date, and more importantly, make sure that your company adheres to it. A common source of friction and failed auditing is a company that has a policy in place, but in practice, fails to adhere to it.
Step 3: Identify relevant security controls.
Next, using the information you’ve gathered, you can compare your current security posture to the required security posture for the level of certification you’re seeking, which is most commonly CMMC level 2.
This will be a comprehensive list of all controls that you will need to implement, including both controls that you intentionally have implemented, controls that you have incidentally implemented, and controls you have yet to implement.
Step 4: Perform a gap analysis and build a plan.
At this point, you have two key groups of information: your current security posture and your required security posture. You can then perform a gap analysis to identify the difference, and develop a plan to implement any controls you have yet to implement.
Some of these controls are considered essential and given high value; you cannot apply or win a contract without having them in place already. Others are considered less essential and lower value. These, you can put in a POAM and work to achieve over the next six months. For more, read our guide to POAMs.
Step 5: Implement as much as possible and seek certification.
Once you know where you are, and you know where you’re going, and you know how you plan to get there, you can put all of that information into action.
Implement controls starting from the most essential until you reach a point where you can comply with enough to achieve certification.
Making the Certification Process Easier
Developing an SSP, keeping it up to date, and ensuring that your company adheres to potentially over a hundred different security controls is no easy task. Fortunately, there are many resources available to help. For example, NIST themselves offers a template for an SSP in the form of a 20-page DOCX file, found here.
One of the best options you can use, though, is Ignyte Platform. Why?
- We help you learn how to manage CMMC compliance according to all of the latest CMMC 2.0 standards, at all three potential levels.
- We serve the same purpose as 18 different domain specific solutions, in one app and in one place.
- You streamline and speed up the entire process so you can have your documentation ready for audit in under 10 weeks.
Our platform is a way to monitor and keep updated all of your security processes and controls, in a centralized location, so you aren’t juggling spreadsheets and documents in individual locations. Moreover, whenever the government changes or adjusts these standards, we adjust our platform to reflect those changes, so you know as soon as possible.
On top of that, by feeding your documentation and details into our platform, we can generate a compliant SSP automatically. It’s not a hands-off process – you still need to do the legwork – but we make it faster and easier to see, at a glance, where your current posture is and where you need to reach.
If you’re interested in giving Ignyte Platform a try, simply click here to book a demo today.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.