SSP vs. POAM: What Government Contractors Need to Know About System Security Plans
Table of Contents
An SSP and POA&M (DFARS 7012 requirement) are the baseline for contractors' Cybersecurity Maturity Model Certification (CMMC), which you need to continue winning DoD contracts.
One of the most important aspects of cybersecurity for DoD contractors – even those who don’t have to meet NIST 800-171 guidelines – is a security/risk mitigation plan.
Regardless of the industry you’re in, it is a good practice for most businesses to have both a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M). For NIST 800-171 requirements and CMMC compliance, it is a must to understand both.
For CMMC compliance, a POA&M will not be available because of the mandates’ nature – CMMC compliance is a pass or fail scenario meaning contractors have no option to “Plan” to make changes in the future.
The SSP, however, is a direct requirement for CMMC Level 2 compliance.
An SSP and POA&M (DFARS 7012 requirement) are the baseline for contractors' Cybersecurity Maturity Model Certification (CMMC), which you need to continue winning DoD contracts.
NIST 800-171 specifically states that “nonfederal organizations should describe in a system security plan [SSP] how the specified security requirements are met or how organizations plan [POA&M] to meet the requirements.”
What is an SSP (System Security Plan)?
A System Security Plan (SSP) is a living document that changes as the company's security changes. Think of it like updating a Wikipedia page. You need to write down and review any big changes to this document.
According to NIST 800-171, the System Security Plan (SSP) should describe:
- the system boundary
- the operational environment
- how the security requirements are implemented
- the relationships with or connections to other systems
The SSP should include, among other things:
- network diagrams
- administration roles
- company policies
- security responsibilities by employee type
- security configurations or capabilities that are either currently implemented or intended to be implemented with each capability expressly tied to specific security requirements and controls
- how each system interacts with one another (flow of information and shared authentication/authorization) and how they behave separately
Click here to get a free SSP template.
Here is a guide from NIST about how to create an SSP.
What is a POA&M (Plan of Action and Milestones)?
If the SSP is the collective details of a business' security posture and system(s) profile, the POA&M is the honey-do list.
It communicates where the company needs to improve according to NIST 800-171 rules, how risky each issue is, and what the company plans to do about it. Each company can choose its own way to fix security and compliance gaps based on its needs.
A Plan of Action and Milestones (POA&M) should describe:
- How any unimplemented security requirements will be met
- How any planned mitigations will be implemented
NIST states, “Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.”
When requested, the system security plan (SSP) and any associated plans of action (POA&M) should be submitted to the responsible federal agency/contracting officer. Federal agencies may consider the submitted SSPs and POA&Ms as critical inputs to decide whether or not to pursue an agreement or contract with the organization.
Click here to download a free POA&M template.
Note: For DoD Contractors, CMMC requires you to have an SSP, but no PO&AMs. Why? Because you can’t pass a test by telling the teacher that you “planned to study for that part of the exam”. The use of POA&Ms will be obsolete once CMMC is solidified in the Federal Register – meaning the Final CMMC rule is published and in effect.
SSP vs. POAM
A "complete" SSP is a working and living document, and a "complete" POA&M really is an empty document once you configure Microsoft 365 and your other systems properly.
As time goes on, your SSP will become larger in size to include more details about your environment and implementations. Conversely, the POA&M should become a much smaller document as you check items off, take action, and reach milestones.
Of course, once a system is added to your environment or a major system change is made, new things can be added to your POA&M to accommodate those changes. These milestones are likely to be few and far between, nevertheless.
Ideally, at the end of your POA&M, you are ready for submission of your SPRS score, and then the scheduling of your upcoming CMMC assessment by an authorized C3PAO.
What to Do Next
Read NIST SP 800-171 and have others in your organization do the same. You'll need to check your current security based on the current version of NIST 800-171. You’ll then need to submit your score into SPRS.
Maintaining a good SSP and POA&M requires the involvement of different people in your company, like IT, operations, human resources, and security personnel. Even if you have a very small business, it's important to have different viewpoints represented in these documents. For both the SSP and POA&M, it's hard for one person to know everything about the 110 controls described in NIST 800-171, and one person can't fix all the issues alone.
Remember, it doesn't have to be perfect to start; it’s more important to start somewhere. Because if you want to work with the Federal Government into the foreseeable future, you’ll need a complete SSP and a closed-out POA&M. These documents change over time as your business changes, but getting started by following these steps will help you be well-prepared to get more contracts in the future.