A Closer Look at the CMMC Interim Rule’s System Security Plan Requirement

Back to Blog

A Closer Look at the CMMC Interim Rule’s System Security Plan Requirement

We first introduced MSPs to the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) with an informative overview of the new security mandate. Then we took a closer peek into its Interim Rule and scoring methodology.

Next up in our CMMC blog series, we get more familiar with CMMC Interim Rule’s System Security Plan (SSP).

The CMMC Interim Rule stipulates that all Department of Defense (DoD) contractors and subcontractors must conduct a specific cybersecurity self-assessment. They must then score the assessment using a methodology outlined by the National Institute of Standards and Technology (NIST) in its Special Publication (SP) 800-171.

The self-assessment must also include a complete System Security Plan (SSP) – which documents all aspects of their cybersecurity program. This component requires contractors to identify their system’s functions and features, including all its hardware and software, and define the security measures they have established, including operational procedures, organizational policies, and technical components. The SSP must also contain auditing and system maintenance process details.

However, a contractor’s SSP must align with all 110 controls in the NIST (SP) 800-171. And auditors will judge an SSP with Assessments Objectives (AO) outlined in NIST 800-171A. There are 320 AOs associated with the 110 controls.

If you are not yet familiar with the controls, NIST offers a template that walks through them. Of course, contractors can easily customize the plan to their organization’s unique needs, as long as it adheres to the NIST control parameters.

This requirement is important because contracting officers and federal agencies may request your SSP at any time and can be considered “critical input to an overall risk management decision[s].” In fact, the quality of an SSP may be a conclusive factor in awarding a contract.

In short, the SSP is a comprehensive blueprint of all security policies and procedures that documents how each contractor will help keep DoD data secure if the DoD awards a contract. All this information compiled for the SSP also helps create an incident response plan for a potential breach.

The final installment of this blog series will cover the Plan of Action & Milestones, the corrective action plan for tracking and planning the resolution of information security weaknesses.