What is a SSP and POA&M? What’s the Difference?

What is a System Security Plan (SSP)?

A System Security Plan (SSP) is an iterative document meant for updates as the company changes anything substantive about its security posture. Much like a well-kept Wikipedia page, every major update or remediation needs to be recorded and reviewed by other individuals. Information like network diagrams, administration roles, company policies, and security responsibilities by employee type are important for a complete SSP.

For the purposes of NIST 800-171 and CUI requirements, the SSP includes the necessary information about each system in your environment that processes, stores, and transmits CUI. This information includes security configurations or capabilities that are currently, or intended to be, implemented, and each capability is expressly tied to specific security requirements and controls. Furthermore, the SSP defines how each of these systems interact between one another (flow of information and shared authentication/authorization), as well as how they behave separately.

What is a Plan of Action and Milestones (POA&M)?

If the SSP is the collective details of a business’ security posture and system(s) profile, the POA&M is the honey-do list. Each company’s POA&M is likely different because it includes information about weaknesses and gaps according to NIST 800-171 standards, as well as the risk posture for each respective gap and any mitigating steps the company intends to make. We often suggest similar entries into each of our clients’ POA&M’s; however, not every company will decide to address every risk in the same way. After all, these are business decisions with operational and financial implications.

Bottom line: you have to possess a complete SSP and POA&M in order to conduct work for the Federal Government. A “complete” SSP is a working and living document, and a “complete” POA&M really is an empty document once you configure Office 365 and your other systems properly. As time goes on, your SSP will become larger in size to include more details about your environment and implementations. Conversely the POA&M should become a much smaller document as you check items off, take action, and reach milestones. Below is a graphical representation of this. If a system is added to your environment or a major system change is made, new things can be added to your POA&M to accommodate those changes. 

Why do we need a SSP and POA&M? 

Both deal directly with your companies security and risk mitigation planning. It is a good practice for most any business to have both, a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M). For NIST 800-171 compliance, it is a must. Additionally, an SSP and POA&M will be the baseline for contractors’ Cybersecurity Maturity Model Certification (CMMC). security plan or risk mitigation plan

Excerpt from NIST 800-171 

Nonfederal organizations should describe in a system security plan, how the specified security requirements are met or how organizations plan to meet the requirements. The plan describes the system boundary; the operational environment; how the security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. 

When requested, the system security plan and any associated plans of action for any planned implementations or mitigations should be submitted to the responsible federal agency/contracting officer to demonstrate the nonfederal organization’s implementation or planned implementation of the security requirements. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization. 

Source: What is an SSP and POA&M? What’s the Difference? (summit7.us)