Sum IT Up: CMMC News Roundup
Episode: System Security Plan Crash Course
Host: Summit 7
Date: June 19, 2025
Episode Overview
This episode delivers a comprehensive crash course on System Security Plans (SSPs), a requirement that often perplexes and frustrates defense contractors working under the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), NIST SP 800-171, DFARS, and related frameworks. The discussion tackles the history, theory, evolution, and practical challenges of SSPs, why they matter, what’s required, and the urgent need for better guidance and real-world examples. The hosts also call on listeners to comment on the impending NIST SP 818 revision, which could influence the future clarity and usefulness of SSP practices.
Key Discussion Points and Insights
1. The Historical and Regulatory Context of SSPs
-
Long history, mandatory status: SSPs predate modern frameworks, originating from the 1987 Computer Security Act. They’ve been a federal requirement for decades and are now central to compliance regimes like DFARS, CMMC, and NIST SP 800-171 ([00:02]–[03:14]).
- "SSPs are older than I am. They go all the way back to the Computer Security Act of 1987." — Host A [00:59]
-
Legal and contractual consequences: Not having (or maintaining) an SSP can result in loss of assessment score, contract disqualification, or even multimillion-dollar False Claims Act fines ([00:28]–[04:27], [04:27]–[07:21]).
2. Why SSPs Matter—Theoretical Foundations
-
SSP as security architecture/blueprint: The SSP is compared to the architectural design of a house; it defines what’s in the system, its boundaries, and how defense is structured—a living document, as security itself is never static ([03:14]–[04:27]).
- "The SSP is... the most vital document to any security program. It is the foundation... like the architecture design of a house." — Host B [03:22]
-
Federal risk management context: Originally, SSPs sat within a larger organizational information security program. In non-federal (defense contractor) environments, they're more like assessment outlines—sometimes reduced to simply aligning with NIST SP 800-171A ([08:00]–[10:42]).
3. What an SSP Is (and Isn't)
-
No prescribed format, but core content: SSPs must cover system boundaries, environments, security requirement implementations, and connections to other systems—with flexibility in structure ([15:11]–[15:44]).
- "There are no specified formats for what an SSP... can look like whatever you want. You can, you can put tables, you can put charts, you could do drawing and crayon." — Host A [15:19]
-
Not a complete security program: SSPs cover systems, not organization-wide security programs. Lack of overall program context has made retroactive compliance much harder for contractors ([16:05]–[19:55], [27:44]–[34:22]).
-
Living document: SSPs must be regularly updated (at least annually or whenever there are significant changes/incidents)—not a "set and forget" artifact ([37:49]–[39:01]).
4. Harsh Realities and Industry Pain Points
-
Assumptions gone wrong: Early versions of NIST SP 800-171 assumed organizations already had robust security programs and plans. In reality, many did not—which led to confusion and compliance gaps ([30:42]–[34:22]).
- "They assumed that because you were already on contract... you would have had a plan... and that's when we got into the trap where we said we've assumed too much." — Host A [33:36]
-
Templates lacking, guidance absent: The only “templates” available from NIST are abstract, lacking concrete examples. This leaves organizations confused and reliant on costly consultants ([39:01]–[44:12]).
- "If you have not looked at the SSP template on the 171 website and you go there as we're talking, you're going to be upset. ...It is not helpful." — Host A [42:16]
5. What Should an SSP Include (by NIST SP 800-171 & 171A)
- At a minimum:
- System boundary description
- Operational environment
- How requirements are implemented
- Connections to other systems/MSPs (especially crucial for CUI)
- Frequency of plan updates (must be defined)
- Coverage of all 110 requirements in NIST SP 800-171 (320 criteria in 171A) ([37:49]–[40:02])
6. The Call to Action: Comment on NIST SP 818 Revision
- NIST needs your feedback: With NIST revising SP 818 (guidance for SSPs), everyone is strongly encouraged to request that NIST provide real-world, concrete examples—something the community desperately needs. Deadline is July 30, 2025 ([44:21]–[47:31]).
- "Please, please. If you've gotten anything from this podcast... I am now asking you for a favor... Submit comments to NIST saying give us examples of control implementation descriptions." — Host A [45:38]
Notable Quotes & Memorable Moments
-
On compliance risk:
"If you don't have a system security plan, you can't have an assessment score... you could easily be fined millions of dollars under the False Claims Act, whether you're a big company or a small company." — Host A [00:28] -
On the lack of guidance:
"It is absurd that there are not available examples of what's going on. And I do not accept this idea that... if they provide an example, people will... only do that. When you don't provide examples, people don't do it." — Host A [43:20] -
On the evolution of SSP expectations:
"CMMC is a version of the risk management framework. FedRAMP is a version... This narrowing of system security plans means... these narrow SSPs are more like assessment outlines based on NIST SP 800 171A rather than these broad executive summary documents." — Host A [08:00] -
On the core problem:
"SSPs weren’t designed to describe your overall information security program, just the plan for an individual system... This becomes a big problem if you have a very, very narrow set of requirements..." — Host A [19:55] -
The plea for examples:
"This is an example where we need [NIST] to be prescriptive. We need the prescriptive examples. Right? Please. We need a handhold. People need to know where to start." — Host A [47:31]
Important Segment Timestamps
| Timestamp | Key Topic/Quote | |-----------|------------------------------------------------------------| | 00:02 | SSPs—history, legal background, and introduction | | 03:14 | Why SSPs are the foundation of security programs | | 04:27 | Who SSPs apply to; DFARS and assessment requirements | | 08:00 | The evolution of SSPs: theory vs. practice | | 15:11 | No set format—flexibility and the problem of no templates | | 16:05 | Why NIST doesn’t prescribe formats; challenges for SMBs | | 27:44 | How assumptions about plans led to headaches in CMMC/DFARS | | 33:36 | The “trap” of assuming everyone had a plan | | 39:01 | Content requirements and update frequency for SSPs | | 42:16 | NIST’s unhelpful SSP templates | | 45:38 | Urging community feedback on NIST SP 818 | | 47:31 | The case for NIST providing prescriptive examples |
Summary and Final Takeaways
- SSPs are non-negotiable for defense contractors and anyone with DoD cybersecurity obligations.
- Current state: The lack of concrete examples, set templates, and practical guidance means organizations are often lost, trying to retrofit security plans into existing environments—an effort compounded by regulatory and legal risks.
- What’s needed: Universal, specific examples from NIST would drastically improve compliance, ease assessments, and save organizations time and money.
- Action:
- If you care about security, CMMC, or work with NIST-based frameworks, comment on the NIST SP 818 revision by July 30, 2025, and request robust, real-world sample SSPs.
Links promised in this episode:
For questions and feedback, or to share your own working SSP templates:
Let the hosts know, and stay tuned for deep dives into other aspects of system security planning.