System Security Plan (SSP) for NIST 800-171 Compliance

             This is an introduction into the System Security Plan (SSP) and why it is important to businesses planning to conduct current or future business with the federal government.  

             The SSP is based upon the NIST and National Archives and Records Administration (NARA) templates and provides a greater clarification to the company or agency representative, business owner, and their IT staff.  This course is intended to focus business owners and their IT support staff on what is required to create and complete a System Security Plan (SSP) that sufficiently meets the NIST 800-171, revision 1, requirements.   Companies need to focus on a “good faith” effort on how to best address these controls to the government—and, it more importantly will help the business protect its own sensitive data and Intellectual Property (IP).

In this lesson we discuss the importance of the hardware and software list in a good business cybersecurity environment. Suggested inclusions to the SSP are  a complete and accurate listings of all hardware (a reference to the organizational component inventory database is acceptable) and software (system software and application software) components, including make/OEM, model, version, and service packs.

In this lesson we describe the importance of a good network topology diagram in support of a SSP.

It is includes a detailed physical topology narrative and graphic that clearly depicts the system boundaries, system interconnections, and key devices.  (Note: this does not require depicting every workstation or desktop, but include an instance for each operating system in use, an instance for portable components (if applicable), all virtual and physical servers (e.g., file, print, web, database, application), as well as any networked workstations (e.g., Unix, Windows, Mac, Linux), firewalls, routers, switches, copiers, printers, lab equipment, handhelds).  If components of other systems that interconnect/interface with this system need to be shown on the diagram, denote the system boundaries by referencing the security plans or names and owners of the other system(s) in the diagram.

This lesson describes the NIST 800-171  Security Controls in general. There are 110 explicit security controls from NIST 800-171 extracted from NIST’s core cybersecurity document, NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, that are considered vital.   

 Companies can implement these security solutions either directly or by using outside, third-party, “managed services” to satisfy the protection requirements of Controlled Unclassified Information (CUI)/Covered Defense Information (CDI).  NIST publications while not previously mandatory for “nonfederal entities,” NIST 800-171 rev. 1, it is the first time that a federal agency, the DOD, has mandated nonfederal agencies, vis a vis, private companies, comply with this federal-specific publication.

“Nonfederal” organizations, such as businesses, and their internal IT systems processing, storing, or transmitting CUI/CDI are expected in 2018 to begin the transition to comply with NIST 800-171.  In the case of DOD, that suggestion is now mandatory.  

The People, Process and Technology (PPT) Model is the recommended guidance for answering many of the controls within NIST 800-171. While all solutions will not necessarily require a technological answer, consideration of the people (e.g., who? what skill sets? etc.) and process (e.g., notifications to senior management, action workflows, etc.) will meet many of the response requirements.  

The best responses will typically include the types and kinds of people assigned to oversee the control, the process or procedures that identify the workflow that will ensure that the control is met, and in many cases, the technology that will answer the control in part or in full.