3.12.4 — Develop, Document, and Periodically Update System Security Plans

A System Security Plan (SSP) is the single document that describes your entire security program for a given system. It explains what the system does, where CUI lives, how you protect it, and how your controls map to NIST 800-171 requirements.

Example 1: Document your network boundary by including a current network diagram (from a tool like Visio or draw.io) that shows your firewall, VLANs, DMZ, VPN concentrator, and where CUI is stored. For each boundary device, note the specific rules -- for instance, your SonicWall firewall's default deny rule on the WAN interface with explicit allow rules only for HTTPS (443) and IPSec VPN (UDP 500/4500).

Example 2: In the SSP, describe how each NIST 800-171 control is implemented. For example, under Access Control, document that you enforce account lockout via GPO: Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy -- threshold set to 3 invalid attempts, lockout duration 15 minutes, reset counter after 15 minutes.

Update the SSP whenever your environment changes -- new systems, new connections, new security tools. Treat it as a living document, not a one-time deliverable.