System Security Plan (SSP) describes the security controls that are in use, or plan to be used to protect all aspects of the system. SSP only contain control compliance description. At this stage no testing is conducted to evaluate the effectiveness of the control. SSP is mostly completed through interviews.
The following terms are used to describe the status of each recommended security control in the SSP
Implemented/In Place
Partial Implemented
Planned
Inherited
Not Applicable
Not Implemented
SSP contains two major sections
System section-description, categorization, E-authentication, system diagram
Security Control Section- Describe the status of each recommended control