As a software guy, this is a bit out of my comfort zone.
We are starting to create a System Security Plan here to get through the levels of CMMC/NIST. Is there anyone out there that could get me headed in the right direction? We don’t have things documented, but we do follow best practices for a small company. I have spent a few hours googling and my mind is spinning, and now I feel like a ship without a rudder.
Does anyone one have experience with this process? Would you be willing to share your experience and maybe a starting point for what a SSP should look like?