Sign up for our 6/24 webinar @ 1:30pm ET with DoD leaders Stacy Bostjanick (Director of CMMC) & Dave McKeown (DoD CISO) on the Countdown to CMMC Compliance
Our CMMC whitepaper has helped over 1500 defense contractors jumpstart their compliance journey. Check out our updated version for CMMC 2.0. Download your copy!
One of the biggest pain points for any defense contractor seeking CMMC L2 compliance is creating their System Security Plan (SSP) and the supporting documentation that outlines the protection of CUI within their organization. This SSP and documentation are required for almost every one of the 110 NIST 800-171 and CMMC controls. And that documentation cannot just make sense to the organization – it also has to make sense to a potential outside auditor. Moreover, the SSP and documentation are not optional. Without it, a defense contractor cannot participate in a DoD contract.
This blog will provide helpful tips for how to overcome the obstacles that prevent most contractors from creating a sufficiently robust SSP and documentation that can meet the scrutiny of auditors. This blog will explain how defense contractors can get started and move past this challenge.
CMMC 2.0 as well as NIST 800-171 are clear in addressing the requirements for an organization handling CUI; they must have an SSP. According to CA.L2-3.12.4, a defense organization must:
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationship with or connections to other systems.
In essence, an SSP is designed to describe the cybersecurity program that’s in place at a defense contractor. The SSP needs to go through each NIST 800-171 control and explain how the control is implemented, monitored and enforced. And since there is no standard prescription for how a control objective must be met, a control can often be met by either a technology or an internal policy.
The contractor must explain how their unique organization will meet the control.
Creating the policies, procedures and supporting data is not for the faint of heart as it takes a considerable amount of time. These documents need to provide details of how every control will be implemented and managed. And the challenge is even greater when the control is being met by a policy rather than a technology.
If a control can be met by technology, the IT team can simply state that the control is met by a technology solution. If, however, the control is met by a training or an incident response plan, then explaining the process of how the organization meets those requirements becomes much more complex. Many contractors will turn to a certified consultant to assist in this process who is better able to provide an overview of the security controls used by the organization.
Control AC L1-3.22 provides a simple example of the necessary policies and procedures required. This control states:
Control information posted or processed on publicly accessible information systems.
The policy could state:
The SSP procedure might state:
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
The supporting policy might state:
The associated procedures documented within the SSP could then state:
-The date the SSP was updated
-Updates made to the SSP
-Administrator responsible for the updates
-Updated version number of the SSP
a. Complete a full Top-Secret Tier 5 background check that must be fully adjudicated (not Interim)
b. The Acting Authority assigns the resource with the Administrator role
i. The Acting Authority will assign the role of Administrator through the creation of a ticket in the internal company ticket system.
ii. That ticket will then be routed to the IT Manager
iii. The IT Manager will then update the Roles and Responsibilities matrix to ensure that the new Administrator’s information is correctly reflected
a. Document is sent via email or shared drive link to the authorized Document Reviewer listed on the Roles and Responsibility matrix.
b. The document reviewer will review the document and then submit it to the Acting Authority with any additional information required.
c. The Acting Authority will review the document and ask any questions or gain any additional clarification from the Administrator before ensuring that the document is signed and then disseminated to all stakeholders.
And this control is not unique in its complexity. Many of the NIST 800-171 controls require this level of detail in order to fulfill the requirements of building an accurate SSP and creating an SSP that could pass an audit.
The best way to get started in creating your organization’s SSP is to start with a self-assessment against the 110 NIST 800-171A requirements. This exercise will force you to review each control and take an inventory of what you have in terms of policy, technology. And then you can see the gaps of which controls you need to work on or which ones you already meet.
After completing a self-assessment, you should download one of the many SSP templates available online and start writing the documentation for each control. Then you have the outline for your SSP.
The disadvantage of attempting to create an SSP in-house is that there are many nuances to writing up the processes and creating the robust documentation you will need. Indeed, trying to do it on their own is where many contractors fail. A typical SSP along with its supporting documentation ranges from 80-120 pages. Without the help of a trained consultant or expert, your SSP policies and procedures will likely not align because you are not implementing the processes you claimed to. As a result, your SSP won’t pass an audit.
PreVeil however has a way to help you get started. We offer a CMMC compliance documentation package for organizations that have deployed our Email and File Sharing platform for protection of CUI.
PreVeil’s package provides you with a SSP template for the 84 out of 110 NIST 800-171 controls which PreVeil meets as well as policy templates for 11 out of the 14 NIST families. PreVeil also provides a customer responsibility matrix (CRM) and Plan of Action and Milestones (POA&M) for the controls that PreVeil doesn’t meet.
While PreVeil’s template still requires contractors to customize the SSP template to how their environment works, the CRM saves contractors hundreds of hours of prep and consultant time. PreVeil’s template helps contractors know who is responsible for meeting the control whether it is their organization, PreVeil or AWS – for example. And the PreVeil SSP template provides a POA&M for the controls left unmet by our existing package.
PreVeil can also assist contractors in finding a compliance expert who understands the CMMC landscape and can help their business work through their compliance questions. With PreVeil, customers have a partner, not just a solution.
Documentation is one of the largest and most overwhelming elements of compliance. However, with the right information and resources, it can become a manageable part of the CMMC journey. PreVeil is here to help. Reach out to one of our compliance experts for a free 15 minute compliance consult or learn more about how to get a copy of PreVeil’s SSP.