In 20 years of building and reviewing SSPs, some of the biggest mistakes I see system owners and/or security professionals make is treating the SSP as a quick checklist, rushing through the security controls, and not providing enough information for the assessor and authorizing official. The SSP, in Risk Management Framework (RMF), should be started early in the system development lifecycle, it should provide a gap analysis of what controls are/will be implemented, those that will be implemented in a later version, and those that are non-applicable. Incomplete or vague justifications for non-applicable controls is usually what gets an SSP sent back for rework. To avoid impacts to project schedules and resources, below are the SSP Keys to Success:
System Description
The security plan must cover all aspects of the system, including hardware, software, networks, cryptography technologies, system mission, roles, contact information, and more.
System Boundaries
Identify the system's boundaries, including the interfaces with other systems and networks. Make sure to attach network and data flow diagrams.
Categorization Justification
Categorization briefings/worksheets should include all rational for system categorization. It is highly recommended to have this officially documented in an organizational template.
Implementation Plan
This piece should tell the present and future story for how security controls will be implemented within the information system. Document what’s been implemented, what will be implemented in the future, the estimated completion dates, and the parties responsible.
Not Applicable (NA) Justifications (Technical & Policy)
Not Applicable designations (or scoping) of the baseline security controls must describe technically why they are deemed NA. For example, If the control addresses wireless security and the system does not have wireless capabilities, the system owner should describe in a technical nature what was disabled on the system so that it does not have such capability. Are there any organization policies that are current and signed that state specific guidance to validate NA status.
Planned Controls - Detailed implementation plan
Capture how it will be implemented, estimated completion dates, and responsible parties.
Overall, an SSP is a critical document that outlines the security posture of an information system and the controls in place to protect it. It is essential for ensuring the confidentiality, integrity, and availability of sensitive data and for complying with relevant laws, regulations, and industry standards. The success of a system security plan depends on a combination of planning, implementation, testing, and ongoing management and communication.