Ohio University

System Security Plan

A System Security Plan (SSP) is a document that describes the security controls associated with a given system. Each SSP shall be developed in accordance with the guidelines contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, and applicable risk mitigation guidance and standards. As such, the Information Security Office has developed a System Security Plan Template.

The SSP documents the following elements of a given system:

  • A description of the system’s purpose and operational function.
  • The classification of sensitivity of the data that will be stored, processed, or transmitted via the system.
  • The point of contact, roles, and responsibilities associated with a system and its security controls.
  • The current state of a given security control (for example: non-existent, planned, partially implemented, or fully implemented).
  • The detailed description of the implementation of a given security control including any technical, administrative, or physical requirements.
  • Identification and description of any dependencies and connections between the information system and any other systems.
  • Each SSP shall be developed in accordance with the guidelines contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, and applicable risk mitigation guidance and standards.