One of the biggest issues for any defense contractor looking to comply with CMMC L2 is creating their System Security Plan (SSP) and supporting documentation that outlines the protection of CUIs within its organization. This SSP and documentation is required for almost every 110 NIST 800-171 and CMMC checks. And that documentation can’t just make sense to the organization — it must also make sense to a potential external auditor. Also, the SSP and documentation are not optional. Without it, a defense contractor cannot participate in a DoD contract.
This blog will provide helpful tips on how to overcome the obstacles that prevent most entrepreneurs from creating a sufficiently robust SSP and documentation that can withstand the scrutiny of auditors. This blog will explain how defense contractors can get started and overcome this challenge.
System Security Plans (SSP) Explained
CMMC 2.0 as well as NIST 800-171 clearly meet the requirements of an organization managing CUI; they must have an SSP. According to CA.L2-3.12.4a defense organization must:
Essentially, an SSP is designed to describe the cybersecurity program that is in place at a defense contractor. The SSP should review each NIST 800-171 control and explain how the control is implemented, monitored, and enforced. And since there is no standard prescription for how a control objective should be achieved, a control can often be achieved either by technology or by internal policy.
The Contractor must explain how their unique organization will meet the control.
System Security Plan Challenges
Creating the policies, procedures and supporting data is not for the faint-hearted as it takes considerable time. These documents should provide details on how each control will be implemented and managed. And the challenge is even greater when control is provided by policy rather than technology.
If a control can be satisfied by technology, the IT team can simply declare that the control is satisfied by a technology solution. If, however, control is met by training or an incident response plan, then explaining the process by which the organization meets these requirements becomes much more complex. Many contractors will turn to a certified consultant to help with this process, who is better able to provide insight into the security controls used by the organization.
Control AC L1-3.22 provides a simple example of the necessary policies and procedures. This control indicates:
the Politics could indicate:
- No CUI or FCI will be published on our public facing websites
The PSS procedure could indicate:
- The organization will ensure that the SSP is updated, at least once a year, and whenever necessary procedural updates are required.
- The organization will only allow resources that have undergone a full background check to act as administrators. These administrators will be the only resources authorized to update the SSP.
- The organization’s interim authority (i.e. CEO, CISO, CTO, etc.) will finalize the SSP and the SSP will not be active until the interim authority is finalized via sign-off.
the associated procedures documented in the SSP could then indicate:
- The SSP will be updated annually, or as needed. To ensure this, the SSP administrator will complete the SSP version history to include:
- SSP administrators will perform the following tasks before they can update the SSP:
- Once updates are complete for the SSP, the document will go through the document review process:
-The date the SSP was updated
-Updates made to the SSP
-Administrator responsible for updates
-Updated version number of the SSP
a. Complete a full Top-Secret Tier 5 background check which must be fully adjudicated (not provisional)
b. Interim authority assigns resource to admin role
I. The interim authority will assign the role of administrator by creating a ticket in the company’s internal ticket system.
ii. This ticket will then be forwarded to the IT manager
iii. The IT manager will then update the Roles and Responsibilities Matrix to ensure that the new admin’s information is correctly reflected.
a. The document is sent via email or a shared reader link to the authorized document reviewer listed in the roles and responsibilities matrix.
b. The Document Reviewer will review the document and then submit it to the Interim Authority along with any additional information required.
vs. The interim authority will review the document and ask questions or obtain additional clarifications from the administrator before ensuring that the document is signed and then circulated to all stakeholders.
And this control is not unique in its complexity. Many NIST 800-171 controls require this level of detail in order to meet the requirements of building an accurate SSP and creating an SSP that could pass an audit.
Get started with creating a security plan
The best way to start creating your organization’s SSP is to start with a self-assessment against the 110 NIST 800-171A requirements. This exercise will require you to review each control and take stock of what you have in terms of policy, technology. And then you can see the gaps in the controls you need to work on or the ones you already encounter.
After completing a self-assessment, you must download one of the many SSP models available online and start writing documentation for each control. Then you have the outline of your SSP.
The downside of trying to build an SSP in-house is that there are a lot of nuances in writing the processes and creating the solid documentation you’ll need. Indeed, trying to do it on their own is where many entrepreneurs fail. A typical SSP with its supporting documentation ranges from 80 to 120 pages. Without the help of a trained consultant or expert, your SSP policies and procedures likely won’t align because you’re not implementing the processes you’ve claimed. Therefore, your SSP will not pass an audit.
How PreVeil can help you
The PreVeil package provides you with an SSP template for the 84 of the 110 NIST 800-171 checks that PreVeil responds to as well as policy templates for 11 of the 14 NIST families. PreVeil also provides a Customer Responsibility Matrix (CRM) and Plan of Action and Milestones (POA&M) for controls that PreVeil is not meeting.
While PreVeil’s model still requires contractors to customize the SSP model to suit how their environment works, CRM saves contractors hundreds of hours of preparation and consultant time. The PreVeil model helps contractors know who is responsible for monitoring, whether it’s their organization, PreVeil or AWS, for example. And the PreVeil SSP model provides a POA&M for controls not satisfied by our existing package.
PreVeil can also help contractors find a compliance expert who understands the CMMC landscape and can help their business resolve their compliance issues. With PreVeil, customers have a partner, not just a solution.
Documentation is one of the most important and burdensome parts of compliance. However, with the right information and resources, it can become one of the easiest parts of the CMMC journey. PreVeil is here to help. Contact one of our compliance experts or find out how Obtain a copy of the PreVeil SSP.
*** This is a syndicated blog from the Security Bloggers Network of Blog – PréVeil written by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/meeting-the-system-security-plan-challenge/