Documentation of a FISMA system’s features and security requirements, along with controls and procedures for information protection
What is a System Security and Privacy Plan (SSPP)?
The System Security and Privacy Plan (SSPP) is not one document, but a collection of information associated with the FISMA system security. The SSPP provides an accurate, detailed description of the FISMA system itself, its security requirements, and the controls that are in place to protect the system. It also explains the responsibilities and expected behavior of all individuals who access the system.
The SSPP is a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system. The SSPP is a key element of the process for a system gaining permission to operate at CMS through the Authorization to Operate (ATO) process (and also for re-authorization if there are significant changes to the system resulting in the need for a new ATO).
The SSPP maps directly to the CMS Acceptable Risk Safeguards (ARS) 5.1 Security and Privacy Planning (PL) family of controls. SSPPs are completed within the CMS FISMA Controls Tracking System (CFACTS).
The SSPP is a living record that is continually managed and updated within the CMS FISMA Continuous Tracking System (CFACTS).
When is an SSPP required?
An SSPP is required as part of the Authorization to Operate (ATO) process. Here are the circumstances that require a new SSPP or an updated version of your current SSPP:
- You are initiating a new system and need to complete its initial ATO
- All SSPPs should be reviewed annually for accuracy
- It is the third year of your system’s ATO cycle, which will require a new ATO
- There has been a change to your system
- There have been personnel changes on your system’s team
The SSPP is also one of the Tier 1 Documentation used when your system has a CSRAP assessment. That means that the CSRAP Team uses information contained within your completed SSPP to inform their overall assessment of your system. You may need to create a new SSPP or update your system’s current SSPP to comply with CSRAP requirements. A CSRAP assessment is a requirement for a successful ATO.
What information does an SSPP contain?
The SSPP lays out the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system - including information owners, the System / Business Owner, and the Senior Agency Information Security Officer (SAISO).
The System / Business Owner must provide evidence that the strategy for protecting the system has been put into place. At a minimum, the SSPP must include:
- Identifying information about the system
- Overall management controls currently implemented
- Day-to-day procedures and mechanisms serving as operational controls
- Technical controls
- Any additional relevant supporting documentation
Who completes an SSPP?
The SSPP is completed by the System/Business Owner, who will secure the appropriate information related to the system’s security and privacy controls. They will also lead the process of conducting risk assessments, implementing required controls, and developing contingency and disaster recovery plans that ensure the system's availability for mission accomplishment.
How do I complete an SSPP?
The System/Business Owner must first identify system software, apps, or tools whose failure could lead to a breach of system security or privacy. If there are such items present, a strategy must be developed and implemented to ensure system safety.
The System Security and Privacy Plan (SSPP) Template can help System/Business Owners organize all the information needed to complete the SSPP before entering it into CFACTS.
If your SSPP information is already entered in CFACTS, you can manage and update it there. To start a new SSPP in CFACTS, go to the Authorization tab for the system and find the section for SSPP.