How to Make a Great CMMC System Security Plan

Military defense contractors and subcontractors found data protection clauses in their agreements based on the Defense Federal Acquisition Regulation Supplement, dating back to 2017. That began to change in 2020, when the Pentagon started its single security standard known as the Cybersecurity Maturity Model Certification (CMMC). That mandate has evolved into a second incarnation known as CMMC 2.0. To better protect critical data from garden-variety hackers and the advanced persistent threats funded by enemy nations, organizations are now tasked with implementing a CMMC system security plan.

Although most subcontractors and peripheral supply chain outfits should not necessarily struggle to meet the mandate, organizations that store and transmit Controlled Unclassified Information (CUI) will likely require assistance in creating a CMMC system security plan that can detect, respond and expel threat actors. If your organization needs or would benefit from a CMMC system security plan that protects CUI, as well as the company’s own sensitive and valuable assets, it’s in your best interest to work with an expert.

Your CMMC 2.0 Level Drives the System Security Plan

The basis of a sensible CMMC system security plan starts by understanding the cyber hygiene level the federal government expects your enterprise to meet. The initial CMMC program called for five distinct levels, each with a specific set of protective measures. The newly minted 2.0 version reduces that number to the following three.

• Level 1: This “Foundational” level calls for basic cybersecurity measures such as password protections and identity controls. An enterprise required to build and maintain Level 1 protections may not necessarily need to develop a CMMC system security plan. However, any company that does enhance its security protocols would present a defensive posture the vast majority of hackers would find unpalatable.
• Level 2: The “Advanced” cyber hygiene required of companies that fall into this category must demonstrate proficiency with 110 best practices based on the National Institute of Standards and Technology (NIST) SP 800-171 standard. In many cases, the federal government will require an independent assessment performed by a CMMC Third-Party Assessor Organization (C3PAO). This may be the line of security demarcation where organizations are best served by creating a comprehensive CMMC system security plan.
• Level 3: Considered “Expert” security level, military defense contractors and subcontractors handling sensitive data must meet more than 110 practices based on NIST SP 800-172. These essential companies are required to undergo regular assessments conducted by the government. Onboarding an accredited firm to help craft a system security plan may be the best way to meet the standard and remain CMMC compliant.

What is a CMMC System Security Plan?

The concept of a System Security Plan (SSP) has been around long before the Pentagon decided to bring the military industrial base under one cybersecurity umbrella. Back in 2016, a segment of NIST 800-171 called for a “develop, document and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented and the relationship with or connections to other systems.” That language was carried forward in section 3.12.4 when NIST made its second revision of 800-171 in 2020.

“System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist,” according to Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

“Effective security plans make extensive use of references to policies, procedures and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering and acquisition,” the report states.

For business leaders outside the managed IT and cybersecurity trades, that insider jargon can be dense, to say the least. In everyday terms, the Pentagon is basically mandating that you implement their security measures. Then, they explain in great detail how every control has been accounted for in your cybersecurity posture. This also involves defensive strategies designed to monitor and enforce the mandated CMMC 2.0 level, as well as accurately describing the roles and duties of information security personnel.

To say the federal government is making a big ask of organizations that do not necessarily focus on managed IT and cybersecurity would be something of an understatement. Fortunately, a C3PAO can not only perform an audit, but we can also intervene earlier in the process to develop and implement a CMMC system security plan before the deadline arrives.

Examples of a CMMC System Security Plan

Some of the basic cyber hygiene practices can achieve compliance through common technology or applications. In these instances, referencing the solution may be adequate for the Feds.

It may seem tedious and labor-intensive, but your CMMC system security plan will likely need to cover each of the more than 110 NIST 800-171 control and best practices one by one. Each of the line items must cite applicable elements of the mandate. Consider the following examples regarding how a military defense contractor or subcontractor might document section 3.12.4 requirements.

• The company will update the system security plan annually and meet emerging CMMC updates.
• Authorized administrators will undergo thorough background checks.
• Only vetted and authorized administrators will be given access to CUI and other critical information.
• The organization’s CISO will be responsible for authorizing data access and updating and finalizing the system security plan.

Along with these somewhat broad strokes, the CMMC system security plan will also need to drill down on hundreds of fine details. Failing to cover seemingly minor elements of the mandate could put your operation in a holding pattern. That could sideline the organization and result in the loss of the lucrative revenue generated from Department of Defense contracts. This is an example of what some of the finer points may look like.

• Complete top-secret security checks will be completed prior to an employee having network access.
• The CISO will oversee and approve only zero-trust user accounts.
• All roles will be assigned and approved in writing by the CISO.

Your CMMC system security plan will also include lengthy sections that go into great detail regarding how information is transferred. That’s largely because advanced persistent threats gather scraps of digital information that may provide clues about our overall military defense. In other cases, an unsecured email or text could be the final piece of a puzzle that aids America’s adversaries in breaching critical networks.

Avoid Common Missteps in Crafting a CMMC System Security Plan

If the sliver of an example leads you to believe orchestrating a system security plan will take Herculean effort to complete, you’re not off the mark. What’s even more problematic is the fact that writing this tome is not optional. Some operations with IT technicians on staff try to save money by attempting to self-assess and write the document off their findings.

While this may seem cost-effective at first blush, the results may prove detrimental. Failing to develop, implement and document the security plan in detail can result in the Pentagon pushing the pause button on current contracts. Missing the mark can also position organizations outside the bidding process, leaving companies without DoD-driven revenue streams for the next fiscal year.

Some businesses may even try to download templates that cover the basics of a system security plan. While some may scratch the CMMC surface, they cannot speak directly to the type of operation you’re running, applications, endpoints, personnel and so on. Templates for things like automobile transactions may satisfy the Department of Motor Vehicles, but not the Department of Defense. That’s why it’s essential not to focus on cutting corners that end up costing time and money. Instead, onboard a C3PAO that can get the job done right the first time.

How a CMMC Expert Can Help You Achieve System Security Plan Compliance

A managed IT firm with CMMC expertise understands how to craft a customized system security plan that meets CMMC guidelines. Firms that have already earned C3PAO are able to seamlessly work on both sides of the mandate — audits and compliance. That’s primarily because they have the expertise and personnel to work in the niche on a daily basis. From a CMMC expert’s perspective, there are five fundamental elements that drive a system security plan. These involve the following.

• Clearly define the network and data boundaries of an organization.
• Identifying the types of CUI the operation stores and transmits.
• Detailing the methods and processes used to store and transmit CUI.
• Identify and articulate how each NIST control is used to protect the CUI within the specific system.
• Identify and cure any cybersecurity gaps that result in vulnerabilities.

These five cornerstones of a robust system security plan may seem relatively straightforward. But each operation must undergo a comprehensive risk assessment to identify vulnerabilities and CMMC shortcomings. Once that leg of the journey has been completed, the third-party CMMC expert produces a report. The company’s CISO, if applicable, and leadership team have an opportunity to review the report. Informed decisions can then be made regarding the best ways to harden the operation’s attack surface, meet the CMMC 2.0 mandate and start the long and sometimes tedious process of producing an acceptable document for the federal government.

Contact Red River to Create a CMMC System Security Plan that Meets Federal Standards

The cybersecurity experts at Red River help businesses in the military industrial base meet the CMMC 2.0 requirements. As an accredited C3PAO, we work with organizations on both sides of the process. The insight our cybersecurity team gains from helping companies remain compliant allows us to streamline the process of crafting a thorough and customized CMMC system security plan.

If you are concerned about the fast-approaching CMMC deadlines or need clarification on your current cybersecurity defenses, call us today or fill out our online contact form. Let’s get the process started!