NIST 800-171 System Security Plan (SSP) Template   

ComplianceForge developed an editable System Security Plan (SSP) template that is specifically designed for NIST 800-171 compliance.

It is important to understand that there is no officially-sanctioned format for a System Security Plan (SSP) to meet NIST 800-171 compliance requirements. Therefore, the SSP from ComplianceForge is based on existing formats that are used for FedRAMP, but is designed specifically for NIST 800-171 to document the controls affecting your Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls. The SSP is meant to be a "living document" that addresses the who, what, why, when, where, who and how of a security program.


The SSP can serve as a key element in your organization's cybersecurity program. This template is based on SSP requirements that are used for other US government compliance requirements for SSPs, but it is tailored to document the entire Controlled Unclassified Information (CUI) environment for an organization.


2019 - NIST 800-171 System Security Plan

A key concept to keep in mind with the SSP is that it should be complete enough for a reasonable person to pick up, read through and understand the following information:

  • The definition of CUI, in regards to the company’s operations. This is how CUI is defined in contracts.

  • Where CUI is stored, transmitted or processed.

  • What controls are in place to protect CUI as it is stored, transmitted and processed.

  • Any deficiencies that exist in protecting CUI, if applicable.

  • Remediation plans address known deficiencies, if applicable.

   NIST 800-171 Plan of Action & Milestones (POA&M) Template   

At no additional cost, your purchase of the System Security Plan (SSP) template comes with a Microsoft Excel template for a Plan of Action and Milestones (POA&M) that is editable for your needs.


2019 - NIST 800-171 Plan of Action & Mil

© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

This website does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

  • LinkedIn Social Icon
  • Facebook Social Icon
  • Google+ Social Icon