Cybersecurity: System Security Plan Template

March 23, 2018

Cybersecurity: System Security Plan Template

The Computer Security Resource Center portion of the NIST website has published a Security Safety Plan (SSP) template for controlled unclassified information (CUI). It can be found by clicking “CUI SSP template” on the right hand side under “Documentation” at https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final#pubs-topics.

This SSP template tracks verbatim the 110 security control requirements of NIST SP 800-171 and, for each one, requires contractors to respond whether the requirement has been “Implemented,” is “Planned to be Implemented,” or “Not Applicable.” If the response is N/A, the organization must provide an explanation for its rationale. The template comes with the following Planning Note: “There is no prescribed format or specified level of detail for SSPs. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.” If certain security requirements are being met with an alternative security control measure that is as equally effective, the procedure set forth in DFARS 252.204-7012 explains further about submitting a variance request to your contracting officer.

Registration on DIBNet
PilieroMazza PLLC advises clients in the industry to register on DIBNet now—before you’re in the throes of a cyber security incident. But, please note: the URL for accessing the DIBNet portal has changed. If you use the old link, the following information will pop up: “Thank you for trying to access the Defense Industrial Base Network. Our site has recently undergone changes and has a new URL for enhanced security. Please access DIBNet at the new URL at https://dibnet.dod.mil.” And, just so you’re ready in the unfortunate event that you must “rapidly report” (within 72 hours) a cyber security breach, it is not too late to gather the 20 items of information that you’ll need to furnish to DoD, namely:

  1. Company name
  2. Company point of contact information (address, position, telephone, and email)
  3. Data Universal Numbering System (DUNS) Number
  4. Contract number(s) or other type of agreement affected or potentially affected
  5. Contracting Officer or other type of agreement point of contact (address, position, telephone, and email)
  6. USG Program Manager point of contact (address, position, telephone, and email)
  7. Contract or other type of agreement clearance level (unclassified, confidential, secret, top secret, or not applicable)
  8. Facility CAGE code
  9. Facility Clearance Level (unclassified, confidential, secret, top secret, or not applicable)
  10. Impact to Covered Defense Information
  11. Ability to provide operationally critical support
  12. Date incident discovered