The System Security Plan (SSP) builder in Secureframe helps you create and maintain an up-to-date SSP aligned with CMMC, FedRAMP, or other framework requirements.

This feature is available on select plans. Contact us to learn more.

Access the SSP Builder

From the left-hand navigation menu, select the System Security Plan (SSP) module.

`

Create a new System Security Plan (SSP)

Click “+ Add” to create your first SSP. Give your SSP a name and select your framework. The selected framework determines which sections and requirements are automatically added to your SSP, saving you setup time.

Review Your SSP Overview

After creating your SSP, you’ll land on an overview page showing each section’s name, description, and status. This homepage gives you an overview of your SSP progress

Populate Required Sections

Navigate through each section and fill out the required fields. The data you add in each of these sections will be populated in the final SSP document that you generate through Secureframe. The sections in our CMMC SSP include:

• Program Details: This section provides an overview of your organization's security program, including its purpose, scope, and objectives. It outlines the system's function, its operational environment, and the stakeholders responsible for maintaining compliance.
• Key Contacts: This section identifies the individuals responsible for the security and maintenance of the system. It includes system owners, security officers, IT administrators, and compliance personnel.
• Control Implementation: Each CMMC control is broken down into one or more assessment objectives—these are the specific criteria auditors use to evaluate whether a control is properly implemented. Completing all objectives ensures your SSP demonstrates how security controls are working in practice and sets you up for a successful assessment.
• External Service Providers: This section documents all external connections to the system, including vendors, cloud services, and third-party integrations. It describes the security measures in place for data exchange and interconnections.
• Services, Ports, and Protocols: The selected framework determines which sections and requirements are automatically added to your SSP, saving you setup time.
• Separation of Duties: This section explains how responsibilities are distributed to enforce security best practices and prevent unauthorized actions.
• Policies and Procedures: This section outlines the security policies and procedures that govern system operations. It includes guidelines for data protection, user access management, and incident response.
• Attachments: This section serves as a repository for supporting documentation related to the system security plan. It includes security policies, network diagrams, POAM, system configurations, audit logs, and any other materials required for compliance verification. It ensures that all necessary evidence is available for auditors and security teams.

Here is a screenshot from the Separation of Duties section:

Track implementation status for each assessment objective

On the “Control Implementation” page of your SSP, Secureframe breaks down all 320 CMMC assessment objectives. This constitutes the bulk of the work in generating and managing an SSP, as you will need to provide implementation statements and evidence showing how you comply with each objective.

Create and remediate POA&M items for any gaps

As you work through the control implementation page, you will likely find items that are not fully implemented. For these items, you can create a Plan of action and milestones (POA&M) to address the issue. To learn more about our POA&M tool, refer to the following help article: Creating and Managing POA&Ms (Plans of Action and Milestones)

Export your SSP

Once all sections are complete, you can export your final SSP document. Navigate to the “Exports” tab from the main SSP page, and click “Generate export.” Add a brief description and click “generate.” It may take up to a minute to generate your document, and when it is ready it will be displayed in the “Report exports” table.

Frequently Asked Question (FAQ)

How do I access the new Federal Features like SSP or POA&M?

• This feature is available on select plans.
• If you do not currently see it, please contact success@secureframe.com or reach out to your direct Account Manager at accountmanagement@secureframe.com