How To Create a CMMC System Security Plan (SSP) & POA&M
A System Security Plan (SSP) & POA&M are both essential for complying with CMMC. Get the facts on SSPs, and why you need one for CMMC compliance.
.png)
The U.S. Department of Defense (DoD) declared in 2020 that any organization providing products or services to the DOD or its supply chain must comply with the Cybersecurity Maturity Model Certification (CMMC).
This cybersecurity standard for the DOD applies to any organization participating in a contract with the DOD, whether it's as a prime contractor or a secondary contractor. These contracts contain a Defense Federal Acquisition Regulation Supplement (DFARS), which requires contractors to implement a System Security Plan (SSP) and Plan of Action & Milestones (POAM). These requirements are detailed in NIST 800-171, specifically sections 3.12.4 and CMMC Practice 157 in the Security Assessment (CA) Domain (CA.2.157.)
The purpose of the SSP is to provide auditors with a clear overview of your organization's information security (IS) posture, including requirements and controls to meet those requirements.
The DOD provides guidance on compliance assessment that indicates a review of your SSP should be the first step in ensuring DFARS compliance before awarding the contract, meaning that a SSP is required to obtain a DOD contract. A SSP has always been part of the NIST 800-171 security requirement as described in DFARS 252.204-7012, and is even more valuable under the newer (CMMC) and DFARS 252.204-7019 and 7020.
Schedule your free consultation with a CMMC advisor at cuick trac™ by calling 763-546-8354 or contacting us online. We can help you create an SSP or fill in the gaps of your existing SSP, including scope and CMMC requirements.
CMMC implements multiple sets of security controls, unlike DFARS. It consists of five maturity levels in a hierarchy, such that each level includes the controls of the preceding level, as well as controls for that level to which an organization is seeking certification to. These levels indicate the amount of data security the contractor can provide, allowing government agencies to award contracts based on the contractor's security posture. To learn more, read CMMC Levels Explained.
The CMMC maturity levels are cumulative, meaning that a contractor must demonstrate that it possesses the required processes and practices for a particular level before it can apply for the next highest level. Some organizations will have processes and practices at different maturity levels. In these cases, the organization received certification at the lower level.
Under CMMC, each DOD contract will specify the level that the contractor will need to qualify for that contract. Most contracts, at this time, require either Level 1 or Level 3. In general, a contractor that only handles Federal Contract Information (FCI) requires CMMC Level 1, while a contractor that also handles Controlled Unclassified Information (CUI) requires CMMC Level 3.
CMMC Level 1 is the lowest maturity level and only includes security practices for basic data protection as described in Federal Acquisition Regulation (FAR) clause 52.204-21. This level consists of 17 practices that include "Identity & Authentication" and "Access Control." Level 1 is intended to protect FCI, so it's required for any contractor that provides products that aren't Commercial Off the Shelf (COTS). Every DOD contractor will likely need CMMC Level 1 at a minimum.
CMMC Level 2 provides the cybersecurity required by organizations that handle CUI, rather than just FCI. This level requires the organization to maintain written policies on all 17 domains that the CMMC covers in addition to a documentation on implementing those policies for each domain. Level 2 security practices are a subset of the requirements listed in NIST 800-171, which include 55 practices in addition to those already required by Level 2. This level is a transitory step between Level 1 and Level 3, so contractors won't have Level 2 as a permanent maturity level. In addition, Level 2 doesn't make business sense because it doesn't allow contractors to handle CUI.
The primary purpose of CMMC Level 3 is to protect CUI. It strengthens a contractor's overall cybersecurity by augmenting the basic security practices established in the lower maturity levels. CMMC Level 3 requires organizations to establish and maintain an SSP to implement its requirements. The practices in this maturity level encompass all NIST SP 800-171 security requirements, including 58 new practices not required by CMMC Level 2.
Organizations that handle both CUI and FCI will need CMMC Level 3 at a minimum. As a result, this level will probably be the most common maturity level, since virtually all DOD clients handle CUI. CMMC Level 3 is a major step up from Level 2 in terms of cybersecurity, in addition to the increase in time and money needed to obtain it.
CMMC Level 4 focuses on improving an organization's ability to protect CUI from Advanced Persistent Threats (APTs). Level 4 doesn't implement as many new practices as the previous two levels, but the applications and maintenance of the practices new to Level 4 are much more complex and time-consuming because it requires the contractor to be proactive, vs reactive. In addition to the requirements from lower maturity levels, CMMC Level 4 measures and reviews the effectiveness of its practices. This maturity level also implements some improved security practices in the draft version of NIST 800-172 (formally 171B) and other sources, for a total of 26 new practices. Very few contractors will require CMMC Level 4 until CMMC Level 3 certifications are being regularly awarded.
CMMC Level 5 requires contractors to optimize and standardize their implementation of processes across their entire organization. Like Level 4, Level 5 focuses on protecting CUI from APTs and implements 15 new security practices not implemented in Level 4. These practices greatly increase the organization's cybersecurity posture.
The greatest weakness of NIST 800-171 is that it allows contractors to attest themselves, often resulting in a relaxed security approach. CMMC is the DOD's initiative to correct this vulnerability by requiring audits from third parties, thus providing contractors with an incentive to close out POAMs. Furthermore, the DoD wants to increase the security posture of its contractors without waiting for the CMMC’s full rollout. As of December 1, 2020, DoD prime and subcontractors must report their progress towards achieving full NIST 800-171 compliance in order to receive contract awards that require DFARS 252.204-7019 and 7020. Contractors must enter this report and score into a federal database called Supplier Performance Risk System (SPRS).
This is a major accountability change, as it’s the first-time contractors have to enter an accurate score that can be referenced back to by DOD at any point in the future. CA.2.157 requires contractors at CMMC Level 2 and up to develop, document, and maintain SSPs that describe system boundaries and operating environments. They must also specify the implementation of their security requirements and the relationships of their systems with other systems.
Appendix B of the CMMC guide further describes the SSP’s role in CMMC as an outline of the guidelines and security standards that an affected organization must follow as well as their security personnel’s roles and responsibilities.
SSPs should also include diagrams that illustrate how the organization’s systems interact with each other. It should also describe the organization’s design philosophies, including interfaces, network protocols, and defense strategies.
While an SSP should generally provide a high-level view of these elements, it should still provide sufficient detail to guide the organization in implementing its systems. As a result, the SSP should make frequent references to the organization’s current policies and procedures.
The overall purpose of CMMC and NIST 800-171 is to protect CUI, so the information in the SSP should focus on this topic. It should include a clear definition of the organization’s business, especially its Aerospace and Defense (A&D) boundaries. The SSP should also describe the types of CUI organizations handle and what it does with that information. Additional information in the SSP should include details of the methods an organization uses to store, process, and transmit CUI.
Furthermore, the SSP should describe the security controls it has implemented to protect CUI, including the procedures its personnel must follow. Known gaps in the organization's CMMC posture are also important details for the SSP to describe which the POAMs will eventually close.
The process of creating an SSP generally includes the following four basic steps:
Gather all the documentation that describes your organization's current security posture with respect to NIST 800-171 or CMMC compliance assessments, especially policies and procedures. This documentation could describe your organization's entire IT environment or just a subset of it, depending on the business model. Ensure the documentation is current by checking with relevant stakeholders.
Gather input from stakeholders who are responsible for system security, including data owners, system managers, and system operators. This step ensures the documentation from step 1 matches your organization's current IT environment.
Fill in any gaps in your existing documentation and what's required by CMMC, DFARS, and NIST, typically through additional research and interviews. You'll also need to implement a cybersecurity program to generate any other documentation that's currently lacking.
The DoD recommends that contractors organize their documentation into an SSP template to ensure they'll be prepared for a compliance audit. This document should be clear and explainable, and something the contractor can stand behind and defend its accuracy.
Security standards like NIST 800-171 and CMMC both provide frameworks for managing robust security requirements. These standards help organizations implement the controls they'll need to protect CUI. However, not even the most diligent IT department can guarantee complete compliance with every requirement all the time.
For example, some security controls rely on software that can be very expensive. If the software your organization is using to provide this control reaches the end of its useful life, it might not be able to afford a replacement. Another possibility is that your organization needs an alarm system installed, but the only qualified vendor in your area is booked up.
In these cases, your organization can be non-compliant with no practical method of redressing the issue. It must then develop a POAM to document these security deficiencies, including the resources needed to correct them. It’s also vital to create and track milestones for these tasks, especially estimated completion dates. This practice assures assessors that the organization takes cybersecurity seriously by holding itself accountable. NIST 800-171 documents the requirement for a POAM in section 3.12.2, also known as Basic Security Requirements.
There are many ways to identify deficiencies in an SSP, but the most common is to inspect an organization’s information systems via an internal review or external auditor. However, organizations with a mature posture are more likely to continuously monitor their security controls.
This process often identifies controls that aren’t as effective as they should be or are completely absent. Regardless of the circumstances, a POAM document must track security deficiencies and specific corrective actions for each one.
NIST provides a sample POAM template that can help your organization track the actions it needs to perform to achieve CMMC compliance. It's important to remember that filling out this form isn't a mere administrative exercise. The real purpose of the POAM is to identify compliance gaps and develop ways to mitigate them.
Developing an effective POAM requires the developer to take a high-level perspective when identifying the resources needed to complete each identified task. That means that it shouldn't be the sole responsibility of any particular department. Company leaders also need to be involved in a POAM to ensure it receives the necessary resources and holds entities responsible for executing necessary actions.
Practical considerations and specific details are also necessary for creating a useful POAM, as they demonstrate a commitment to resolving security deficiencies. POAMs often list vague or unrealistic tasks, making it clear to the reader that the organization doesn't take deficiency remediation seriously.
Milestones are also a key component of an effective POAM. Simple tasks may only require an estimated completion date, but POAM authors should typically break complex tasks into multiple phases, with separate milestones. A POAM is a living document, meaning authors should update the POAM continuously as an organization progresses towards remediating deficiencies. Page 89 of NIST 800-53 Rev.5 recommends that organizations use software to POAM items, which could include an existing ticketing system.
Organizations shouldn't underestimate a POAM's importance in securing government contracts. NIST 800-171, 3.12.4 advises that federal agencies may consider SSPs and POAMs to be critical to risk management for non-federal organizations when deciding to pursue a contract with that organization. As a result, the quality of your POAM can directly affect your chances of getting a DoD contract.
DoD will begin issuing the first contracts with CMMC requirements in 2022. Other security frameworks like NIST 800-171 allow auditors to excuse security deficiencies that are properly documented in a POAM. However, CMMC implements a binary grading system in which an organization meets all the requirements for a given maturity level, or it doesn't.
Even if an organization passes its CMMC audit, it still needs a POAM to document its compliance measures. Again, you should treat your POAM as a living document that records previous deficiencies after they've been remediated.
Your organization's in-house IT staff can complete an SSP template, provided it has the necessary time and expertise. However, this approach can result in a lack of objectivity when it comes to identifying compliance gaps. You can also engage third-party experts to assist in this process, which can reduce the time and money needed to complete it. This strategy also ensures that the resulting SSP complies with CMMC requirements, making it useful to auditors, while meeting the requirement of separation of duties between IT and Security
There are no official SSP and POAM templates from the government, but many private companies provide them. You can find an SSP template here and a POAM template here, or contact cuick trac™ here.
Conducting a CMMC assessment and developing an effective SSP are challenging tasks, but they're also essential for obtaining DoD contracts. You must also ensure that your organization performs its due diligence for other cybersecurity requirements such as NIST 800-171 and DFARS.
This process can be completed with just a collection of Excel spreadsheets, especially for larger organizations. Cuick trac™ can help ensure that your organization meets all requirements for CMMC accreditation.
Our SSP and POAM creation and updating advisory make baseline CMMC self-assessments easy to perform. We also provide a strategic dashboard with an integrated view of your CMMC compliance at any time including compliance gaps and recommendations on how to fill them.
In addition, cuick trac™ utilizes a compliance management and audit accountability tool which stores the documentation required for every assessment objective and organizes it so auditors can easily find what they need during compliance assessments.
An SSP and POAM are both essential for complying with CMMC. Even if your DoD contract doesn't require CMMC compliance at this time, it will in the near future. It's essential to begin the compliance process now, as it can be complex and time-consuming. Third parties like cuick trac™ can provide critical assistance in obtaining CMMC compliance, especially if your core competencies don't include a fully managed IT and security program
Schedule your free consultation with one of cuick trac™'sCMMC advisors today if you are or expect to become a member of the defense industrial base. We can help you avoid fines or the loss of contract opportunities by strategically planning and implementing the CMMC security controls.
Call 763-546-8354 or contact us online to speak with a CMMC advisor about your organization’s SSP and POA&M needs today.
