CMMC / NIST System Security Plan

As a software guy, this is a bit out of my comfort zone.

We are starting to create a System Security Plan here to get through the levels of CMMC/NIST. Is there anyone out there that could get me headed in the right direction? We don’t have things documented, but we do follow best practices for a small company. I have spent a few hours googling and my mind is spinning, and now I feel like a ship without a rudder.

Does anyone one have experience with this process? Would you be willing to share your experience and maybe a starting point for what a SSP should look like?

I feel your pain @knash! I’ve been dealing with NIST for about three years and now CMMC. We used the NIST SSP template to create our SSP for each major system (CAD, Epicor, Backups, File Shares, and Email. CUI-SSP-Template-final (2).docx (70.3 KB)

If you need an example, I might be able to sanitize our Epicor SSP.

I’ve been working with a security consultant who’s been great, and he has created a CMMC specific website that you might find helpful.

I’d recommend finding a consultant that specializes in NIST 800-171/CCMC. We have to follow NIST/CCMS as well. And we use an outside security consultant for it.

1 Like