A system security plan (SSP) is the first thing that will be requested for any type of cybersecurity assessment, whether it’s GDPR, CMMC, NIST 800-53 and ISO ######.

Whether you’re a small supplier or a large technology contractor, an SSP is essential. However, it’s important to be clear about the definition and scope of what a “system” is in regards to an SSP.


The term has many different meanings depending on how it’s used. A single desktop computer can be referred to as a system, as several different components such as the monitor, keyboard, and CPU together make up a computer system.

In the same way, an accounting system or manufacturing system is made up of hundreds of components and can also be classified as systems. This could be a combination of hardware, software, routers, switches, and firewalls making up the configurations of each of the components that together creates the “system.”

Therefore, an SSP has to encompass all aspects and attributes of each of the environment’s components, and how they work together to include all controls in place, in order to demonstrate how it is secured. 


Depending on the business function and complexity of an organization, the scope of the SSP could be quite large; not to mention, the SSP must also maintain its accuracy as technology changes occur.

It is not uncommon to have multiple SSPs each focused on specific business processes. Some businesses are known to have customer SSPs over 300 pages long. For large or complex businesses to try and maintain the accuracy of critical information manually with spreadsheets or static documents would be next to impossible.

Organizations today are moving to database driven applications to document, track, and automate the maintenance of the information that goes into the SSP. These solutions have the capability to “systemize” an SSP by tying the content to everyday business processes.


For example, NIST SP 800-171 3.7.3 says to “ensure equipment removed for off site maintenance is sanitized of any CUI.” To begin this process, all assets have to be documented in an active inventory and the assets must be successfully identified as possibly containing CUI.

When there is a need to remove an asset, it is much easier to use an automated system, such as a CMDB and ticketing functions, rather than sifting through spreadsheets.

Baseline and tracking assets such as the above example is standard to any modern IT department, but many companies fail to systemize other necessary controls such as risk and security assessment processes, system and communication protection, or proper system architecture designs that represent where CUI is transmitted and stored.

It’s simple to document the processes for meeting controls in the SSP, but much more complex to ensure they are working.

Therefore, implementing a technology solution will go a long way in helping to automate and ensure SSP accuracy, compliance, and updates to everyday IT business processes.

Cential offers the background and experience to help companies understand how to establish an optimized, automated SSP so they can gain added security and hours back into their day to focus on running and scaling their operations.

We are here to help you—contact us today to establish an accurate system security plan.