System Security Plan (SSP)

The System Security Plan (SSP) for each system includes necessary information for the Authorizing Official (AO) to grant an Authorization to Operate (ATO) . The plan contains:

– System identification, which includes the system owner, general description and purpose of the system, and equipment list;

– A list of minimum security controls; and

– Security documents that were developed during the EPLC.

The SSP should be reviewed and updated or verified at least annually once the system is operational.

If the system has changed (system environment, software, hardware, user groups, etc.), the SSP should be updated as soon as the change is made.