The purpose of the NIST 800-171 system security plan (SSP) is to provide an overview of the security requirements of your system and describe the controls that are in place for meeting those requirements.
The system security plan also delineates the responsibilities and expected behavior of all individuals who access your system(s) to protect government information.
Approximately 9 million people are employed by the federal government, 40% of whom are private contractors.
Private contractors that are also manufacturers tied to the government supply chain can tap into very lucrative revenue sources that can only be obtained via government contracts thus making NIST 800-171 compliance extremely important.
Being compliant with NIST 800-171 can mean doing business with the federal government and tapping into these new sources of revenue.
But working with the government means your company is handling Controlled Unclassified Information (CUI) - Information the government needs to keep protected.
Here are 5 key steps you can take to build your company’s system security plan and demonstrate how you intend to comply with all NIST 800-171 security controls.
Who is Responsible?
NIST 800-171 standards apply to any company that handles potentially sensitive information. This includes companies that have a contractual relationship with a government agency:
- Contractors for the Department of Defense
- Organizations providing financial services
- Consulting companies with federal contracts
- Manufacturing companies that furnish products and goods to the government
According to the CUI SSP template distributed by the National Institute of Standards and Technology, it is the Chief Information Officer (CIO) and Systems Security Officers of these companies that are responsible for being the architects of a System Security Plan.
READ MORE » NIST 800-171 vs 800-53: Why They are Different
Understanding the SSP
An SSP is documented proof to the government that your company has addressed each of the security requirement families in the NIST 800-171 publication and will handle known threats. For smaller companies, the process of creating your own system security plan without assistance can be a very intimidating process.
The online NIST Special Publication 800-18 (PDF) resource provides recommendations for creating your own systems security plan but it's a tricky document to decipher.
So we've boiled it down to 5 "simple" steps:
How to Build your SSP - The 5 Steps
Step 1 of Building an SSP: Form the Team
To handle the process of building an SSP from scratch, you need to put together a team possibly with input from senior information security professionals.
The team should first build an assessment plan of your company infrastructure, including determination of timeframes and the key objectives.
An effort should be made to promote a company-wide message that the SSP project is underway, including an explanation (i.e., procurement of government contracts).
Step 2 of Building an SSP: Assessment and Data Collection
Create a contact list of company personnel with relevant responsibilities, such as system administrators and information security specialists. Collect, review and organize all of the relevant documentation for your security pan, including existing security policies, system records and manuals, previous audit results, and system architecture documents.
Step 3 of Building an SSP: Complete Documentation
Using the CUI SSP template (DOCX), complete the system identification information by listing all company systems, including system owners of and information owners.
Provide descriptions of the function and purpose of all your company systems. Examples include economic indicators, network support for agency, business census data, etc.).
Do an assessment of the individual controls and requirements and record a statement for each security control measure that is listed. There will be assignments of responsibility and designations of ownership for each security control that must be documented.
Step 4 of Building an SSP: Plan of Action
Document how all the security requirements are being implemented at your company. Create a plan of action that outlines how any unmet requirements will be achieved. Include all evidence for compliance into your system security plan documentation.
Step 5 of Building an SSP: Completion
Once your SSP is completed, the plan should be updated with version numbers when modified. Plan modifications will occur as the infrastructure and technologies continue to evolve at your company, with examples including employee turnover, access to new data, organizational changes, system upgrades, etc.
These activities merit periodic assessments of your plan to confirm that no updates are needed to account for these changes. Updates that are made to your security plan should be documented properly and stored in a centralized location.
Want To Build Your NIST 800-171 SSP?
Your first order of business as a private contractor should be to clearly understand the language in your contracts and know where your company stands in terms of obligations.
Your business will need proof of a functional security plan, and building that plan is no small achievement. You may need the guidance of an independent consultant who has the strategic expertise and professional team to handle such an important matter.
Encompass Consultants has key expertise in guiding businesses through the process of NIST 800-171 compliance, and we've helped dozens of firms build effective SSPs from scratch, making it easier for them to worry about daily operations and not about compliance. Find out more by clicking on the image below!
Originally published Apr 27 2021
Frequently asked questions
What is a system security plan?
The components of a system security plan (SSP) detail how physical security, network security, and application data security will be achieved.
What is the NIST 800-171?
NIST SP 800-171 is a special publication that outlines security requirements that must be followed to properly safeguard the confidentiality of CUI that is stored, processed, or transmitted and the requirements for the security and protection of infrastructure.
How do I become NIST 800-171 compliant?
Becoming NIST 800-171 compliant isn't a one-size-fits-all process. If you choose to work with an expert, there are consulting resources online that can guide you in building strategies to achieve and maintain compliance. On your own, you're likely going to need a team of expert IT and legal professionals to help you go through all requirements.