CA.L2-3.12.4  

Reference: CMMC 2.11

Family: CA

Level Introduced: 2

Title: System Security Plan

Practice:
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

CMMC Clarification:
A system security plan (SSP) is a document that outlines how an organization implements its security requirements. An SSP outlines the roles and responsibilities of security personnel. It details the different security standards and guidelines that the organization follows. An SSP should include high-level diagrams that show how connected systems talk to each other. The organization should outline in its SSP its design philosophies. Design philosophies include defense-in-depth strategies as well as allowed interfaces and network protocols. All information in the SSP should be high-level. Include enough information in the plan to guide the design implementation of the organization's systems. Reference existing policies and procedures in the SSP.

Example
You are in charge of system security in your organization. As part of your job, you develop a system security plan (SSP). The SSP tells all employees how they can meet the organization's system security goals. The information in the SSP should explain how you should handle your important information. Examples include who can access important information, where you should store it, and how you can transmit it. By defining a clear SSP, you can design and build your network to ensure that it meets the SSP-defined goals. You can also use your SSP to outline the organization's:
• security requirements;
• the current status of the requirements; and
• your plan to meet the requirements in the future.

Source: CMMC v2.0