1. System Information

0%

2. Organization Information

0%

Key Personnel

3. System Environment

0%
Component Type Manufacturer Model Function/Purpose
Software Name Version Vendor Function/Purpose

Upload system architecture diagram or network diagram

Note: This document is meant to be self-contained. While you can reference external diagrams here, consider including key diagrams directly in the SSP.

4. System Interconnections

0%
Connected System Name Organization Connection Type Direction Information Exchanged / Purpose
Agreement Type Connected System Date Signed Notes

5. Security Controls Implementation

0%

This section documents the implementation of NIST SP 800-171 security requirements. For each control family, describe how the requirements are implemented, including specific technical configurations, procedures, or other mechanisms.

Access Control (3.1)

expand_more
3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Not Implemented
This requirement ensures that only authenticated and authorized entities can access your systems. Implement user authentication, role-based access controls, and device authentication mechanisms.
3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Not Implemented
Beyond just controlling who can access systems, this requirement focuses on what specific actions those users can perform once logged in. This is often called "least privilege" - users should only have the minimum permissions needed to do their jobs.

Awareness and Training (3.2)

expand_more
3.2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. Not Implemented
This requirement establishes that all personnel must be informed about security risks relevant to their roles and the policies and procedures they need to follow to mitigate those risks.

Audit and Accountability (3.3)

expand_more
3.3.1 Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity. Not Implemented
Organizations must generate audit logs that capture significant system events, securely store these logs, and retain them long enough to support security investigations and compliance requirements.

Configuration Management (3.4)

expand_more

Identification and Authentication (3.5)

expand_more

Incident Response (3.6)

expand_more

Maintenance (3.7)

expand_more

Media Protection (3.8)

expand_more

Personnel Security (3.9)

expand_more

Physical Protection (3.10)

expand_more

Risk Assessment (3.11)

expand_more

Security Assessment (3.12)

expand_more

System and Communications Protection (3.13)

expand_more

System and Information Integrity (3.14)

expand_more

6. Supporting Documentation

0%
Document Name Version/Date Document Type Description/Purpose

List evidence that demonstrates implementation of security controls (e.g., screenshots, configuration files, audit logs, training records).

Evidence Name Control Reference Date Description
Control Reference Risk Description Risk Level Approver Expiration Date Justification

7. Approval & Signatures

0%

Authorizing Signatures

Name will appear here
Title will appear here
Date: ______________
Name will appear here
Title will appear here
Date: ______________
Name will appear here
Title will appear here
Date: ______________