3.12.4 Develop, Document, Update, Implement System Security Plan

Unclassified Information in Nonfederal Systems and Organizations: Security Requirement 3.12.4, System Security Plan

While Revision 1 of the NIST SP 800-171 added the system security plan as an explicit requirement – the original version of the publication stated that the system security plan “is expected to be routinely satisfied by nonfederal organizations without specification…”. Even without Revision 1 of the NIST SP 800-171 – the contractor may still document implementation
of the security requirements with a system security plan.

Frequently Asked Questions (FAQs), dated January 27, 2017, regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 address this in FAQ 34 as follows: The “system security plan” is addressed in NIST 800‐171 as “expected to be routinely satisfied by nonfederal organizations without specification” as part of an overall risk‐based information security program (see footnote 16, page 6 and Table E‐12, PL‐2). The system security plan should be used to describe how the system security protections are implemented, any exceptions to the requirements to accommodate issues such as those listed in the question above, and plans of action as provided by security requirement 3.12.2, to correct deficiencies and reduce or eliminate vulnerabilities. Elements of the security plan may be included with the contractor’s technical proposal (and may subsequently be incorporated as part of the contract).

(Extract from The Cyber DFARS: Key Questions, Asked & Answered Part I by Robert S. Metzger October 2017)
SP 800-171 imposes no required format or minimum content for a SSP. Companies should approach its preparation with a risk-informed assessment which takes into account the nature and source of information they receive from or generate for the Government, the nature of their information systems, their present security measures, and the resources they can apply. In other words, each SSP is distinct to the enterprise which prepares it. A SSP should include a self-assessment. SP 800-171 calls for attention to policy and process, IT system configuration, and to hardware and software.

The SSP should begin with an informed comparison of what is in place or planned, on the one hand, with each of the 110 safeguards. Where risks are found or gaps are identified, a company should document a plan to mitigate the risks and close the gaps. There is no deadline to complete the action plan. In fact, DoD recognizes that some of the more difficult -171 requirements, such as “multi-factor authentication,” may not be completed until well after the Dec. 31, 2017 “compliance” date.

The DPAP memorandum of Sep. 21, 2017 stresses the importance of the SSP; indeed, it is described as a “critical input to an overall risk management decision” of whether a federal requiring activity should entrust CDI to potential contractors. Although the SSP should be documented, there is no current or generally applicable requirement for companies to disclose their SSP to any government officer, and there is no DFARS obligation that subcontractors disclose their SSP to a higher tier (prime) contractor.

Companies should recognize, however, that the DCMA may check to see that a SSP was prepared, and the SSP may be scrutinized for adequacy should there be a reported cyber incident with adverse impact. Moreover, and as explained in the DPAP memo, requiring activities can request, evaluate and even score SSPs in an acquisition and competition process.