NIST 800-171 System Security Plan (SSP) Template   

ComplianceForge developed an editable System Security Plan (SSP) template that is specifically designed for NIST 800-171 compliance.

It is important to understand that there is no officially-sanctioned format for a System Security Plan (SSP) to meet NIST 800-171 compliance requirements. Therefore, the SSP from ComplianceForge is based on existing formats that are used for FedRAMP, but is designed specifically for NIST 800-171 to document the controls affecting your Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls. The SSP is meant to be a "living document" that addresses the who, what, why, when, where, who and how of a security program.


The SSP can serve as a key element in your organization's cybersecurity program. This template is based on SSP requirements that are used for other US government compliance requirements for SSPs, but it is tailored to document the entire Controlled Unclassified Information (CUI) environment for an organization.


2019 - NIST 800-171 System Security Plan

A key concept to keep in mind with the SSP is that it should be complete enough for a reasonable person to pick up, read through and understand the following information:

  • The definition of CUI, in regards to the company’s operations. This is how CUI is defined in contracts.

  • Where CUI is stored, transmitted or processed.

  • What controls are in place to protect CUI as it is stored, transmitted and processed.

  • Any deficiencies that exist in protecting CUI, if applicable.

  • Remediation plans address known deficiencies, if applicable.

   NIST 800-171 Plan of Action & Milestones (POA&M) Template   

At no additional cost, your purchase of the System Security Plan (SSP) template comes with a Microsoft Excel template for a Plan of Action and Milestones (POA&M) that is editable for your needs.


2019 - NIST 800-171 Plan of Action & Mil