How to create a NIST System Security Plan

In order to be compliant with NIST 800 and several other organizations, like DFARS, you are going to be asked for your System Security Plan. The long and short of it is you are going to need to identify all the systems that have access to the CUI and then fill out the System Security Plan for these systems. NIST provides a template for this document. All the questions in the SSP form are going to be related back to your controls, so you will need to have completed all your controls in order to answer the questions asked on the plan template. You want to start out with what the system is and who has responsibility over the system. You will then need to know the name of the system and create a unique identifier for the system so that you can differentiate it from other systems in your organization. You will want to identify your government point of contact in your organization that is responsible for accepting or receiving the CUI. You want to know who owns the server or system in your organization. You will need to identify the security officer for your corporation or the entity that is responsible for security for your organization. You need to be able to fully describe what the system does and what the purpose of the system is. You need to know how many end users have access to the system and how many of them are privileged and have access to the CUI.

Be able to describe what type and kind of CUI you are storing, processing or transmitting. There is a category list here https://www.archives.gov/cui/registry/category-list that you can use to identify the type and category that the CUI fits in. Part of your control system is that you have an accurate and updated network map and topology that clearly shows key devices and how they all interconnect. Any other infrastructure pieces that touch the system like Active Directory, firewalls, switches need to be called out in your topology map. You need to provide inventory for all of the equipment that makes up the system. In the future when you do your POA&M you will need to call out all of the patches, security updates, upgrades and maintenance you perform on these machines so capture this inventory data and keep it separate for other activities. You will also want to have a complete list of software installed on your system. When and who performs maintenance on your systems. Then you are going to need to describe all of the NIST controls relevant to your system and if they have been implemented, planned or are not applicable. If your firm lacks the expertise or time to get a security plan in place, the majority of Managed Security Service Providers have the experience to take on this type of project.

Single Point of Contact was founded in 1999 and is a Managed Security Service Provider in the San Francisco Bay Area. We tailor our IT security services to take into consideration the every day challenges businesses face. Cybersecurity issues often stem from within an organization, so we take proactive measures to ensure everyone from top to bottom understands the ramifications of a cyberattack. Don’t hesitate to contact us to see how we can help better protect your company.

Subscribe to our Podcast