System Security Plan, And

Document Control No. / Version / Date
000000000001 / 1.0 / <Insert Date>

Insert Company Logo

<Insert Company Name>

Security Assessment Report,

System Security Plan, and

Plan of Action

Dated: <Insert Date> / <Insert First-name Middle-Initial Last-name>
<Title>
<Company Name>
<Company Address Line 1>
<Company Address Line 2>
<Phone Number>
<Email>

This document includes data that shall not be disclosed outside the Government and shall not be duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate this document. If, however, a contract is awarded to this offeror as a result of—or in connection with—the submission of this data, the Government shall have the right to duplicate, use, or disclose the data to the extent provided in the resulting contract. This restriction does not limit the Government’s right to use information contained in this data if it is obtained from another source without restriction. The data subject to this restriction are contained in sheets <insert numbers or other identification of sheets>.

Table of Contents

1.0. Disclaimer

2.0. About GTPAC

3.0. Introduction and Overview

3.1. About this Template

3.2. Intended Audience

3.3. Instructions on How to Utilize This Template

3.4. How Security Control Compliance Information will be Documented and Organized

4.0. Security Assessment Report, System Security Plan, and Plan of Action

4.1. Company Profile

4.2. General Overview of the System

4.3. Security Control Compliance and Implementation Information

1.0. Disclaimer

This template was created by the Georgia Tech Procurement Assistance Center (“GTPAC”) and was funded through a cooperative agreement with the Defense Logistics Agency (“DLA”). This template is intended to be used in conjunction with the National Institute of Standards and Technology (“NIST”) Manufacturing Extension Partnership (“MEP”) Cybersecurity Self-Assessment Handbook (the “Handbook”), available at:

This template is provided as a guide only, and the Georgia Institute of Technology, the Georgia Tech Research Institute, and GTPAC (collectively “Georgia Tech”) does not make any warranty, representation, or guarantee, either expressed or implied, with respect to the accuracy, completeness, or usefulness of this document and the information contained herein. Georgia Tech also makes no claims that use of this template will satisfy the regulatory requirements of the Department of Defense (“DoD”), Defense Federal Acquisition Regulation Supplementclauses 252.204-7008 and 252.204-7012 or the requirements outlined in NIST Special Publication 800-171 Revision 1. Compliance with these requirements can only be achieved through the proper implementation of the required security controls and policies and by adequately documentinga System Security Plan and Plan of Action.

It is our hope that providing this template will make the process of achieving compliance with DoD cybersecurity requirements easier for DoD government contractors. However, it is ultimately up to the contractor to assess its information technology systems and to assure that its implementation of the aforementioned controls, policies and documentation are adequate and meet all legal and regulatory requirements. By using this template, the contractor agrees that Georgia Techis not responsible for any liabilities or damages that may result from the use of this template or the use of any processes or methods described herein. This template does not reflect the official views or policies of Georgia Tech or the DoD.

Issue Date: December 2017

2.0. About GTPAC

GTPAC is a Procurement Technical Assistance Center (“PTAC”) that helps businesses identify, compete for, and win governments. For the past 31 years, the Defense Logistics Agency (“DLA”) has teamed with Georgia Tech to provide assistance to Georgia businesses navigating government contracting. GTPAC’s no-cost assistance to Georgia businesses comes in the forms of teaching, mentoring and coaching. GTPAC regularly offers free training seminars in-person and via webinar covering a whole range of government contracting topics. GTPAC is part of a nationwide network of PTACs which can be located at:

3.0. Introduction and Overview

3.1. About this Template

This template was produced by GTPAC in response to the Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which requires certain defense contractors with a covered contractor information system[1] that processes, stores, or transmits covered defense information[2] to immediately implement the cybersecurity controls outlined in NIST Special Publication (“SP”) 800-171[3] (hereinafter “NIST SP 800-171”). NIST SP 800-171 provides a single set of performance-based security requirements for protecting “covered defense information” on “covered contractor information systems.” DFARS 252.204-7012, which is now being incorporated by in full-text or by reference in most DoD contracts, requires defense contractors to “implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.” See 252.204-7012(b)(2)(ii)(A).

Likewise,companion DFARS clause252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” requires defense contractors submitting an offer in response to most DoD opportunities to represent“that it will implement the security requirements specified by [NIST SP 800-171]…not later than December 31, 2017.” See DFARS 252.204-7008.

In December 2016, NIST issued a revision to NIST SP 800-171, called “Revision 1.” The revision outlined that NIST SP 800-171 requires that covered contractors create a “system security plan” and “plans of action” to achieve compliance. It states as follows:

Nonfederal organizations should describe in a system security plan, how the specified security requirements are met or how organizations plan to meet the requirements. The plan describes the system boundary; the operational environment; how the security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations should develop plans of action thatdescribe how any unimplementedsecurity requirements will be met and how any planned mitigations willbe implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.

NIST SP 800-171, Rev. 1 at 9 (emphasis added).

On September 19, 2017, DoD issued a memorandum entitled “Implementation of DFARS Clause 252.204-7012,” which provides guidance to DoD acquisition professionals. The guidance acknowledged that a contractor could meet the contractual obligations to comply with NIST SP 800-171 by either fully implementing the security requirements outlined in NIST SP 800-171 Revision 1 and documenting such full implementation in its System Security Plan / Plan of Action, OR by implementing all the NIST SP 800-171 Revision 1 security requirements it could and carefully documenting in the contractor’s System Security Plan and Plan of Action, what requirements were implemented, how any unimplemented security requirements would be met, and how any planned mitigations would be implemented:

To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017 implementation deadline, companies should have a system security plan in place,in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.

“Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” by Shay D. Assad, Director, Defense Pricing/Defense Procurement and Acquisition Policy, dated Sept. 21, 2017, at pg. 3, available at: (hereinafter “Assad memorandum”)

As noted above, there is no required format for a System Security Plan or Plan of Action, and they may be created as separate or combined documents.

The goal of this template is to provide government contractors with a single combined document that can usedin conjunction with NIST’s Self-Assessment Handbook to: (1) document compliance with the 110 security requirementsoutlined in NIST SP-800-171 (e.g. create a “Security Assessment Report”), and to, (2) create a “System Security Plan” and “Plan of Action” which specifieshow theNIST SP 800-171 security requirementsare implemented, how and when any unimplemented security requirements will be met; how any planned mitigations will be implemented; and how and when the contractor will correct deficiencies and reduce or eliminate vulnerabilities. By completing this template in conjunction with NIST’s Self-Assessment Handbook, defense contractors will create a combination Security Assessment Report, System Security Plan and Plan of Action in a singledocument that can be used to establish compliance with NIST 800-171 Revision 1.

If the template is fully completed and properly filled out, contractors may have a document that establishes compliancewith the above-mentioned cybersecurity related DFARS requirements.

As outlined in this template’s Disclaimer, GTPAC makes no claims that use of this template willabsolutely ensure compliance with or satisfy the regulatory requirements of the DoD, the associated DFARS clauses mentioned above, or the security requirements outlined in NIST SP 800-171 Revision 1. Compliance with these requirements can only be achieved through the proper implementation of the required security requirements and policies and by drafting an adequate System Security Plan and Plan of Action. Further, it should be understood by the contractor, that merely meeting the minimum requirements of NIST 800-171 Revision 1 may not be enough to satisfy the DoD or other federal agencies when they conduct a risk assessment or evaluation of the contractor’s security. The entire purpose of requiring a “System Security Plan” and “Plan of Action” is to provide DoD with information they can use to evaluate the overall risk posed by a current or potential DoD contractor. DoD has indicated that it may analyze “a company’s system security plan and associated plans of action to evaluate the overall risk introduced” by the contractor’s internal information system/network. (Assad Memorandum at 4.) Indeed, it is important that contractors, when filling out this template, provide as complete and detailed information as possible as this document, when filled out, could be requested by the DoD to evaluate risk as part of the source selection process. (Assad Memorandum at 4-5.)

GTPAC hopes that providing this template it will make the process of drafting a System Security Plan and Plan of Actioneasier. However, it is ultimately up to the contractor to ensure that its implementation of the aforementioned requirements, controls, policies and documentation are adequate and that all legal and regulatory requirements have been met. Georgia Tech is not responsible for any liabilities or damages that may result from the use of this template, and the contractor assumes the risk that the use of this template may not meet all legal and regulatory requirements related to cybersecurity.

3.2. Intended Audience

This document is designed to be used by those responsible for managing the security and compliance of covered contractor information systems, and those who supply products and services to the DoD who must ensure “adequate security” by implementing NIST SP 800-171 Revision 1. These individuals may include those with system development life cycle responsibilities (e.g. program managers, business owners, system designers, developers, system administrators, and engineers) and individuals with security or risk management oversight responsibilities (e.g. chief information officers, chief information security officers, information security managers). Other individuals who may find this document useful include compliance officers, auditors, assessors and independent security consultants who are hired by a government contractor to provide security compliance assistance.

This template mentions official DoD policies and regulations related to cybersecurity. Such mention is public domain and does not constitute any policy statement by GTPAC or the DoD. GTPAC does not make or set procurement policy and makes no claims that the use of this template will satisfy the regulatory requirements of the DoD. All matters relating to the DFARS should be directed to the DoD.

3.3. Instructions on How to Utilize This Template

This template is designed to be used in conjunction with the NIST MEP Cybersecurity Self-Assessment Handbook (the “Handbook”), which was developed and published by NIST MEP. While the intended audience of the Handbook is manufacturers, it can be utilized by any DoD government contractor for conducting an assessment of NIST SP 800-171 security requirements. The Handbook, can be downloaded in full at:

The goal of this TEMPLATE is to assist defense contractors in documenting their compliance with NIST 800-171, and developing a System Security Plan and Plan of Action, which is required by DFARS clause 252.204-7012 to be in place by December 31, 2017.

After the Handbook and this Template have been downloaded, four steps must generally be taken by the defense contractor:

Step 1: In the TEMPLATE, the contractor should fill out Section 4.1 below, the Company Profile portion. This will provide some general information about the defense contractor, including the Contractor’s Name, Point of Contact, Address, Telephone, Fax, Email, and other general information about the Contractor and their line of business. The Contractor is free to provide additional information if they so desire.

Step 2: In the TEMPLATE, the contractor should fill out the “General Overview of the System” portion at Section 4.2 below. This provides basic System Security Plan information about the covered information system at issue and describes, as required by NIST SP 800-171 Revision 1: (1) the system boundary; (2) the operational environment; and (3) the relationship with or connections to other systems. While a System Security Plan should also including information regarding “how the security requirements are implemented,” we will provide this information later on when answering the “System Security Plan and Plan of Action Questions” in step 4.

Step 3: The Contractor should use the NIST MEP Handbook to conduct an assessment of their covered contractor information system and document the results of their assessment for each control in Section 4.3 of the TEMPLATE below. As noted above, the Handbook provides a step-by-step guide to assessing a defense contractor’s information system against the security requirements in NIST SP 800-171. Section 3.4 of the TEMPLATE provides information on how NIST 800-171 Revision 1 security control compliance will be documented and organized in the TEMPLATE in Section 4.3. While you will use the Handbook to conduct the assessment, the results of the assessment will be marked, recorded, and documented for each of the 110 controls in Section 4.3 for each requirement. Specifically, contractors will indicate in the TEMPLATE below regarding each requirement whether:

• Your company fully meets the security requirement (“YES”)
• Your company does not meet the security requirement (“NO”)
• Your company partially meets the security requirement (“Partially”)
• The security requirement does not apply to the company’s environment (“Does Not Apply”) or;
• The company has taken an alternative but equally effective approach to meeting the security requirement (“Alternative Approach”).

This documentation in the TEMPLATE regarding what requirements are met or not met is sometimes called a “Security Assessment Report,” as it includes information from assessors necessary to determine what security controls are implemented or not implemented. This documentation provides important information to company management and government officials regarding what NIST SP 800-171 controls are met, what controls are not met, and the systems overall cybersecurity risk. The results of a security assessment ultimately influences security control implementation, and the content of respective System Security Plans and Plans of Action.

Step 4:Finally, in the TEMPLATE, either during the course of the assessment (or shortly thereafter),the Contractor must provide detailed answers to the “System Security Plan and Plan of Action Questions” for each security requirement listed in Section 4.3 below. As noted earlier, NIST SP 800-171 Revision 1 requires that contractors describe in a System Security Plan “how the specified security requirements are met” and “how organizations plan to meet the requirements.” NIST SP 800-171 at pg. 9. Contractors are also required to develop “plans of action” that describe “how any unimplemented security requirements will be met and how any planned mitigations will be implemented.” NIST SP 800-171 at pg. 9. NIST 800-171 Revision 1 allows a System Security Plan and Plan of Action to be documented in a combined manner. NIST SP 800-171 at pg. 9.

We have designed the “System Security Plan and Plan of Action Questions” in Section 4.3 below to elicit from the Contractor this required information. Therefore, if the Contractor fully and precisely answers the questions for each security requirement, they may achieve compliance. In short, contractors should review each requirement listed in Section 4.3, and answer the “Security Plan and Plan of Action Questions” accordingly. By answering the questions and providing the required information for each requirement, contractors will be creating with their answers the required “System Security Plan” and “Plan of Action” needed to achieve compliance by December 31, 2017.

Once each of these four steps are complete, the result will be a single universal document that, if filled out comprehensively and correctly, may meet the NIST SP 800-171 Revision 1 requirements.

Specifically, a completely filled out Section 4.0 thru 4.3 of the Template will result in the creation of:

• ASecurity Assessment Report of what NIST 800-171 Revision 1 security controls have been implemented or met;
• A System Security Plan that details the system boundary, the operational environment, the relationships with or connections to other systems and how the security requirements are implemented or how the contractor plans to meet these requirements;

and;

• A Plan of Action that describes how any unimplemented security requirements will be met and how any planned mitigations will be implemented.

Ultimately, the completion of Section 4.0 thru 4.3 of the TEMPLATE using the four steps above should result in achieving NIST SP 800-171 Revision 1 compliance, even if the defense contractor has not necessarily implemented all of the 110 security requirements outlined in NIST SP 800-171 Revision 1.

While full implementation of the 110 security requirements outlined in NIST SP 800-171 Revision 1 may not be necessary so long the contractor has an adequate Section 4.0 thru 4.3 of the TEMPLATE filled out, contractors should be aware that NIST SP 800-171 compliance could become a competitive discriminator, especially when it comes to DoD projects involving sensitive information.