Sorry to tell many of you, your NIST SP 800-171 required System Security Plan (SSP) sucks.  As the start of CMMC draws nearer, we are now seeing more SSPs by other companies and, well, they miss the mark and are not effective.

Unfortunately, many organizations are grabbing the NIST SSP template for NIST SP 800-171 Rev 2, and well, if OFFICIALLY SUCKS.  (Hint Hint, wink wink, nudge nudge ).

In this As the CMMC Churns, we walk you through how to write an effective SSP that explains your plan at the Assessment Objective level and show you how to use the same SSP to show your correlated evidentiary artifacts for each Security Requirement.

We will also walk through a simple example, 3.1.9, Provide privacy and security notices consistent with applicable CUI rules, to show how we documented the requirement for Peak InfoSec.  This is done using our free templates available at NIST SP 800-171 & CMMC Templates.

Now a couple key rules to pull out of the video:

  1. Don’t use the NIST SP 800-171 Template.
  2. Draft SSPs don’t count during an assessment and technically your score is now a -203 if this is your first draft.
  3. Explain your network diagrams. Dumping diagrams in your SSP or as supporting artifacts is useless and will cause your assessor to wander around and misinterpret things.

Lastly, your SSP is the foundation of how you tell the 3rd party assessor your story of how you meet the NIST SP 800-171 Security Requirements.  We get it sucks to write one, but an effective SSP will streamline your 3rd party assessment process.


Peak InfoSec Homepage:

As the CMMC Churns Episodes:

Contact Peak InfoSec for Support:

Email: [email protected]


Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites