System Security Plan (SSP)

CG

Chad Griffith, Founder & CEO

FileFlo — AI compliance document intelligence for DOT, OSHA, and EPA regulated businesses. LinkedIn · About

Last reviewed · By Chad Griffith

A System Security Plan (SSP) is a comprehensive document describing how an organization implements security requirements for a specific system. Required under NIST SP 800-171 for CUI-handling systems and under DFARS 252.204-7012 for defense contractors, the SSP describes system boundaries, control implementation for each requirement, responsible parties, and any deviations or compensating controls. The SSP is the primary documentary artifact reviewed during CMMC C3PAO assessment. Generic or incomplete SSPs are among the most common findings during assessment.

Frequently Asked Questions

What must an SSP contain?

Per NIST SP 800-18 (the SSP guide): system identification, system description, information types processed with FIPS 199 categorization, control implementation language for each control, system boundaries, system interconnections, operational environment, plan maintenance procedures, and assignment of responsible parties. For NIST 800-171 systems, all 110 controls must be addressed.

How long is a typical SSP?

SSP length depends on system complexity but typically runs 80-200 pages for a mid-market defense contractor. Larger enterprise environments with multiple system boundaries can produce 500+ page consolidated SSPs. Each of the 110 controls requires specific implementation language — generic or templated language is frequently flagged as inadequate during assessment.

How often must the SSP be updated?

Whenever significant changes occur in the system, environment, or threats. Best practice is full annual review with continuous updates as system changes are made. C3PAO assessors evaluate whether the SSP accurately reflects the system state at time of assessment — outdated SSPs are common findings.

Is an SSP required if a contractor doesn't pursue CMMC?

Yes, if the contractor is subject to DFARS 252.204-7012. The SSP requirement under 252.204-7012 predates CMMC and applies to all contractors handling Covered Defense Information regardless of CMMC certification status. CMMC adds independent verification of SSP quality through assessment.

Authoritative sources

Related terms

FileFlo classifies and tracks compliance documents against rule packs that map directly to the regulators referenced above. Run a free CFR-cited audit →