A System Security Plan (SSP) is a document that describes the security controls associated with a given system. Each SSP shall be developed in accordance with the guidelines contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, and applicable risk mitigation guidance and standards. As such, the Information Security Office has developed a System Security Plan Template .
The SSP documents the following elements of a given system:
- A description of the system’s purpose and operational function.
- The classification of sensitivity of the data that will be stored, processed, or transmitted via the system.
- The point of contact, roles, and responsibilities associated with a system and its security controls.
- The current state of a given security control (for example: non-existent, planned, partially implemented, or fully implemented).
- The detailed description of the implementation of a given security control including any technical, administrative, or physical requirements.
- Identification and description of any dependencies and connections between the information system and any other systems.
- Each SSP shall be developed in accordance with the guidelines contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, and applicable risk mitigation guidance and standards.