System Security Plan
Also known as: SSP
A System Security Plan (SSP) is the written document that describes the boundary of a contractor's information system, the security controls implemented to protect it, and how each applicable requirement is satisfied. NIST SP 800-171 control 3.12.4 requires an SSP at Level 2; at Level 1 an SSP is not regulation-required but is considered a best-practice evidence artifact.
Related terms
- Assessment Objective
An assessment objective is a discrete, atomic statement an assessor uses to determine whether a security requirement has been satisfied. NIST SP 800-171A breaks each of the 110 NIST 800-171 controls into multiple assessment objectives (approximately 320 in total) — the CMMC Level 1 Assessment Guide breaks each of the 15 requirements into a smaller set of objectives.
- Self-Assessment
A CMMC self-assessment is an internally-conducted evaluation of an organization's implementation of the applicable security requirements, performed without a third-party assessor. CMMC Level 1 is exclusively self-assessed; CMMC Level 2 is self-assessed for some programs and C3PAO-assessed for others depending on the contract requirement.