In December of 2016, when NIST released the first revision of NIST SP 800-171, they included information about what was supposed to be done with all of the plans and procedures that were created to secure your facility. In this revision, they included information about a required System Security Plan (SSP). This document is a compilation of what you are doing and what you are going to do. It is a tool that contracting agencies can use to judge your readiness to accept the Controlled Unclassified Information (CUI) associated with awarded contracts.

The NIST standard explicitly states that federal agencies or contracting officers may request your SSP. The SSP from your organization may be used as a “critical input to an overall risk management decision” in determining the advisability of making awards to your organization. Having an acceptable SSP may be a determining factor of your ability to sell to the US Government.

The SSP contains information about how your organization is meeting the requirements of NIST SP 800-171. In situations where your program does not currently conform to the requirements, then the SSP should contains plans of action of how conformance will be realized. The SSP is intended to be a living document, so that as as plans are completed, items will move from being plans to descriptions of the applicable policies or procedures that produce conformance to the requirement. Inversely, some items will move from conforming procedures to plans of action. Newly identified vulnerabilities or changes in technology are examples of things that can cause items to become non-conforming.

The required contents of the SSP are to describe:

• the system boundary,

• the operational environment,

• how the security requirements are implemented, and

• the relationship with or connections to other systems.

The system boundary portion needs to needs to enumerate the points at which your various systems touch the Internet or other networks. The text implies that you will describe the security of the connection points, providing information about firewalls, routers or other security measures protecting these points against unauthorized access.

The description of your operational environment would include factors within which your systems operate. This would include, but not be limited to, industry, technology, personnel, physical layout and environment. A firm that trades in digital products is drastically different, from a system security standpoint, from a firm that produces metal castings. A firm with a very transient workforce has some extra security concerns as compared to an identical firm with a stable workforce. If a company has facilities across the globe, then they have different security issues than a company in one building. A business that exists in a hurricane-prone area, has some serious risks that might be minor in another location. Your company’s operational environment is everything that makes your security situation unique.

The implementation of the security requirements is simply a description of how all of the NIST SP 800-171 requirements are being addressed. This would likely be in the form of a line-by-line listing of the applicable actions or controls. These will be either descriptions of what has been implemented or what will be implemented.

The section of your SSP that addresses the relationships with other systems will describe the interactions between different networks or systems, outside of your control. This might include cloud-based systems, trade partners, financial institutions or any other systems with which your systems interact. The way in which these interactions affect security should be described.

NIST SP 800-171 makes it clear that the SSP does not need to be in a specific format. They make it clear that the documentation of conforming operations can be separated from the plans of action. The exact form and format of the SSP is up to the individual organization. It becomes more important to ensure that all of the SSP requirements are met than obsessing over the particulars of how the information is communicated.

This document will potentially be a key element in the government procurement process. Rather than having frequent audits of your conformance to NIST SP 800-171, this document will serve as your tool of communication of your security stance. Because this document will speak for your company and represent you, it would be justified to apply extra effort to assure that the content is complete, accurate, current and well-presented.

For more information about the implementation of NIST SP 800-171, go to http://nist-sp-800-171.com.