How to Develop a System Security Plan for CMMC
In an attempt to improve cybersecurity within the Defense Supply Chain (DSC), the Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) program to establish rigorous security requirements for vendors. Once upon a time, these companies could self-attest to their security posture. Those days are over now thanks to CMMC.
Companies must take 5 key steps to prepare for CMMC:
- Assess current practice compliance gaps with NIST 800-171
- Document Plan of Action & Milestones (POAM)
- Implement the Required Security Controls
- Document policies and procedures in a System Security Plan (SSP)
- Maintain compliance
One of the most important components of the CMMC preparation process is the development of a System Security Plan (SSP). When done properly, an SSP will not only get you one step closer to certification but also improve the posture of your organization as a whole.
"What is a System Security Plan?"
A System Security Plan (SSP), as the word “plan” implies, covers goals and objectives of the security program, staffing and workforce development, technology investment, and implementation schedules.
In the event of a CMMC audit, the SSP is likely the first thing you will be asked for. Requirement CA.2.157 3.12.4 mandates that all contractors must develop, document, and periodically update their SSP.
The overall SSP references more specific plans, such as an Incident Response Plan, Configuration Management Plan, Business Continuity/Disaster Recovery Plan, etc. All plans taken together, whether they exist as separate documents or not, can be considered part of the overall SSP.
Developing an SSP for CMMC
Taking a cue from the maturity model aspect of CMMC, the first thing to do in the CMMC SSP development process is to examine and document your current security practices. Most contractors find it helpful to have a third party perform a gap analysis at this phase.
- What practices, even if they’re ad hoc, are in place?
- Are policies and procedures documented?
- What security tools and technologies are deployed?
- What IT and IT Security staff do you have and what are their skills?
Once you have inventoried the practices you have in place, you need to start planning how to close the gap between the current state and where you need to be for certification.
Next, develop an implementation and remediation plan around each of the gaps on your list. It’s important to document all implementation decisions because these decisions will form the basis of the completed SSP.
As far as the timeline goes, it is fair to say that an organization that is just getting started should expect to devote at least a year to the effort, along with the dedication of internal resource time and investment on required remediation.
That being said, SSPs aren’t a one-and-done. They should be an ongoing effort and need to be continuously updated as controls and compliance requirements change.
CMMC certification can be a major undertaking but is the price to pay for the privilege of serving the nation by properly handling and protecting sensitive information. A more secure DSC means fewer vulnerabilities and, in turn, fewer opportunities for threat actors to leverage them.