System Security Plan

The System Security Plan (SSP) page provides a structured interface for documenting the security posture of an information system. This page guides users through each section required to build a comprehensive SSP, which can then be exported in Microsoft Word or OSCAL (JSON) formats.

Each section plays a key role in compiling a complete and compliant security plan. Use the interface to enter, manage, and review critical system details. Below is a guide to each section.

1. System Identification

This section captures core information that defines the system, such as:

Identifier – A unique name or reference code for the system.
Risk Categorization – The system’s categorization under relevant security frameworks.
CAGE Code – If applicable, the system’s Commercial and Government Entity Code.

This foundational section helps establish the scope of the SSP and identifies the responsible organization.

2. System Responsibilities

This section defines the key roles associated with the system’s security, management, and oversight.

Tabs

Assign Responsibilities

Assign key personnel to roles critical to the system’s operation and security. Available roles include:

Responsible Person – Primary contact for overall system oversight.
System Owner – Manages day-to-day operations and security of the system.
Information Owner – Oversees the protection and classification of system data.
System Security Officer – Ensures implementation and enforcement of security controls.
System Security Support – Assists in maintaining system security under the Security Officer.

These roles are included in the final SSP output and help ensure clear accountability across the organization.

Users

View and manage user entries relevant to the SSP. While you can create and delete local users here, global users (from the tenant-level directory) are visible but cannot be modified. However, global users can be assigned as responsible parties.

3. System Summary

Provide a high-level overview of your information system. This summary helps contextualize the system’s purpose and architecture for reviewers.

You’ll be prompted to describe:

System name, purpose, and location
System boundaries
System components
Security requirements
Implemented security controls

Use this section to define what the system does, who it serves, and how it meets its security obligations.

4. System Components

List and manage the individual components that make up your system, including hardware, software, and network elements.

You can:

Add new components
Edit existing entries
Delete obsolete components

Common examples include servers, workstations, routers, firewalls, applications, and databases.

Accurately documenting each component ensures that all parts of your system are covered by appropriate security controls.

5. Review

The final step before generating your SSP. Review all previously entered information in one place.

Generate SSP – Once the review is complete, generate the System Security Plan in either:
- Microsoft Word format (for human-readable documentation)
- OSCAL (JSON) format (for machine-readable compliance tools)

This is the only page where the Generate SSP button is available.

Next Steps

After generating the SSP, you can share the document with auditors, stakeholders, or compliance tools as needed. To make future updates easier, maintain accurate and up-to-date records across all sections.

1. System Identification​

2. System Responsibilities​

Tabs​

Assign Responsibilities​

Users​

3. System Summary​

4. System Components​

5. Review​

Next Steps​