SSP Builder

Organization name, system name, system owner, authorization boundary, system description, operating environment

Hardware, software, network topology, interconnections, cloud services, data flows

User roles, access levels, authentication methods, privileged users, external users

Types of CUI processed, stored, or transmitted; data classification; handling requirements

How each NIST 800-171 requirement is implemented, by domain

Deficiencies identified, remediation plans, responsible parties, target dates

22 practices · Limit system access to authorized users, processes, and devices

3 practices · Ensure personnel are aware of security risks and trained

9 practices · Create and retain system audit logs

9 practices · Establish and maintain baseline configurations

11 practices · Identify and authenticate system users and devices

3 practices · Establish operational incident-handling capability

6 practices · Perform maintenance on organizational systems

9 practices · Protect system media containing CUI

6 practices · Limit physical access to organizational systems

2 practices · Screen individuals prior to authorizing access

3 practices · Periodically assess risk to organizational operations

4 practices · Periodically assess security controls

16 practices · Monitor, control, and protect communications

7 practices · Identify, report, and correct information system flaws