System Security Plan (SSP) for NIST 800-171 Compliance
- Have a basic understanding of IT systems and network security principles
- Entrepreneurs looking to provide products or services to the federal government
There are 110 explicit security controls from NIST 800-171, revision 1, extracted from NIST’s core cybersecurity document, NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, that are considered vital. This is a highly pared down set of controls for the purposes of Industry’s requirements to meet federal government cybersecurity contracting requirements. There are over 1000 potential controls offered from NIST 800-53 revision 4; this more expansive set of controls is used extensively by DOD to protect its IT systems from its jet-fighters to its vast personnel databases.
This SSP is based upon the NIST and National Archives and Records Administration (NARA) templates and provides a greater clarification to the company or agency representative, business owner, and their IT staff. This book is intended to focus business owners and their IT support staff on what is required to create and complete a System Security Plan (SSP) that sufficiently meets the NIST 800-171, revision 1, requirements. Companies need to focus on a “good faith” effort on how to best address these controls to the government—and, it more importantly will help the business protect its own sensitive data and Intellectual Property (IP).
- Small to medium business owners
- Federal Contract Officers and Specialists
- Cybersecurity Consultants and Professionals
- What is the SSP?
- The Hardware & Software Lists
- Network Topology
- Security Controls
- People-Process-Technology Triad
- System Security Plan Quiz
Mr. Russo is currently the Senior Information Security Engineer within the Department of Defense's (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510 which implements RMF throughout the DOD and federal government. He holds both a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He holds a 2017 certification as a Chief Information Security Officer (CISO) from the National Defense University, Washington, DC. He retired from the US Army Reserves in 2012 as the Senior Intelligence Officer.
He is the former CISO at the Department of Education where in 2016 he led the effort to close over 95% of the outstanding US Congressional and Inspector General cybersecurity shortfall weaknesses spanning as far back as five years.
Mr. Russo is the former Senior Cybersecurity Engineer supporting the Joint Medical Logistics Development Functional Center of the Defense Health Agency (DHA) at Fort Detrick, MD. He led a team of engineering and cybersecurity professionals protecting five major Medical Logistics systems supporting over 200 DOD Medical Treatment Facilities around the globe.
In 2011, Mr. Russo was certified by the Office of Personnel Management as a graduate of the Senior Executive Service Candidate program.
From 2009 through 2011, Mr. Russo was the Chief Technology Officer at the Small Business Administration (SBA). He led a team of over 100 IT professionals in supporting an intercontinental Enterprise IT infrastructure and security operations spanning 12-time zones; he deployed cutting-edge technologies to enhance SBA’s business and information sharing operations supporting the small business community. Mr. Russo was the first-ever Program Executive Officer (PEO)/Senior Program Manager in the Office of Intelligence & Analysis at Headquarters, Department of Homeland Security (DHS), Washington, DC. Mr. Russo was responsible for the development and deployment of secure Information and Intelligence support systems for OI&A to include software applications and systems to enhance the DHS mission. He was responsible for the program management development lifecycle during his tenure at DHS.
He holds a Master of Science from the National Defense University in Government Information Leadership with a concentration in Cybersecurity and a Bachelor of Arts in Political Science with a minor in Russian Studies from Lehigh University. He holds Level III Defense Acquisition certification in Program Management, Information Technology, and Systems Engineering. He has been a member of the DOD Acquisition Corps since 2001.