The System Security Plan (SSP) builder in Secureframe helps you create and maintain an up-to-date SSP aligned with CMMC, FedRAMP, or other framework requirements.
Note: This feature is available on select plans. Contact your Account Manager to learn more of enable this as a trial.
Access the SSP Builder
From the left-hand navigation menu, select the System Security Plan (SSP) module.
`
Create a new System Security Plan (SSP)
Click “+ Add” to create your first SSP. Give your SSP a name and select your framework. The selected framework determines which sections and requirements are automatically added to your SSP, saving you setup time.
Review Your SSP Overview
After creating your SSP, you’ll land on an overview page showing each section’s name, description, and status. This homepage gives you an overview of your SSP progress
Populate Required Sections
Navigate through each section and fill out the required fields. The data you add in each of these sections will be populated in the final SSP document that you generate through Secureframe. The sections in our CMMC SSP include:
Program Details: This section provides an overview of your organization's security program, including its purpose, scope, and objectives. It outlines the system's function, its operational environment, and the stakeholders responsible for maintaining compliance.
Key Contacts: This section identifies the individuals responsible for the security and maintenance of the system. It includes system owners, security officers, IT administrators, and compliance personnel.
Control Implementation: Each CMMC control is broken down into one or more assessment objectives—these are the specific criteria auditors use to evaluate whether a control is properly implemented. Completing all objectives ensures your SSP demonstrates how security controls are working in practice and sets you up for a successful assessment.
Control Discussion: This will give users easier access to additional control context/guidance while filling out the SSP. Click "See More" to expand the full guidance.
External Service Providers: This section documents all external connections to the system, including vendors, cloud services, and third-party integrations. It describes the security measures in place for data exchange and interconnections.
Services, Ports, and Protocols: The selected framework determines which sections and requirements are automatically added to your SSP, saving you setup time.
Separation of Duties: This section explains how responsibilities are distributed to enforce security best practices and prevent unauthorized actions.
Policies and Procedures: This section outlines the security policies and procedures that govern system operations. It includes guidelines for data protection, user access management, and incident response.
Attachments: This section serves as a repository for supporting documentation related to the system security plan. It includes security policies, network diagrams, POAM, system configurations, audit logs, and any other materials required for compliance verification. It ensures that all necessary evidence is available for auditors and security teams.
Here is a screenshot from the Separation of Duties section:
Track implementation status for each assessment objective
On the “Control Implementation” page of your SSP, Secureframe lists all 110 CMMC Level 2 controls. These controls are sorted by control family by default, but you can always filter/sort/search within the table.
Clicking on a control opens a slide-out containing every assessment objective for that control. For each assessment objective you must mark "Implemented", "Not Implemented", or "Not Applicable" and add an implementation statement. You are also able to add policies, attachments, or POAM items to each assessment objectives from this slide-out.
The statuses of your assessment objectives will roll up to the control level, and once all assessment objectives are implemented (or not applicable) your control will be marked as "Implemented" and you will receive the SPRS points for that control. You can see your up-to-date SPRS score on the main page of each SSP:
Create and remediate POA&M items for any gaps
As you work through the control implementation page, you will likely find items that are not fully implemented. For these items, you can create a Plan of action and milestones (POA&M) to address the issue. To learn more about our POA&M tool, refer to the following help article: Creating and Managing POA&Ms (Plans of Action and Milestones)
Export your SSP
Once all sections are complete, you can export your final SSP document in two simple steps:
Step 1: Generate the Export
Navigate to the “Exports” tab from the main SSP page.
Click “Generate export.”
Add a brief description for your export.
Click “Generate.”
The export may take up to a minute to generate. Once ready, it will appear in the “Report exports” table.
Step 2: Download the Export
Head to the “Exports” tab, where your generated report will be displayed.
Click the 3 dot menu and select "Download" next to the reports you wish to download.
Choose to include your attachments and policy files in the export by checking the corresponding boxes.
Click “Download” to receive the complete export, including all necessary documentation for your audit.
Frequently Asked Question (FAQ)
How do I access the new Federal Features like SSP or POA&M?
This feature is available on select plans.
If you do not currently see it, please contact [email protected] or reach out to your direct Account Manager at [email protected]
Will importing data from SF Comply overwrite my SSP content?
Importing from SF Comply will only overwrite the implementation response status for assessment objectives. It will not overwrite implementation statements or narrative content already entered in the SSP.
When should I import data from SF Comply into the SSP?
It is best to complete your implementation work in SF Comply first, then import into the SSP. If needed, you can choose to import only vendors and policies to avoid updating implementation statuses.