1. Document Control & Metadata
| Document Title | System Security Plan - ACME Technology Services Corporation |
|---|---|
| Document Version | 1.0 |
| Classification | Controlled Unclassified Information (CUI) |
| Prepared By | Raymond Lawrence, Chief Information Security Officer |
| Review Date | June 15, 2025 |
| Next Review Date | June 15, 2026 |
| Approval Authority | Chief Executive Officer |
Document Purpose
This System Security Plan (SSP) serves as the foundational document for CMMC 2.0 Level 2 compliance, providing a comprehensive blueprint of ACME Technology Services Corporation's cybersecurity posture. It documents how the organization implements security requirements outlined in NIST SP 800-171 Rev 2 to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The SSP is a living document that must be reviewed and updated annually or when significant changes occur to the security environment. It serves as the primary evidence document that CMMC assessors will review during certification evaluations.
2. System Description & Overview
Organization Overview
Company Name: ACME Technology Services Corporation
Location: El Paso, Texas
Business Type: Medium-sized defense contractor
Employee Count: 64 employees
Primary Mission: Supporting the U.S. Army by providing uniform and textile logistics services
Facility Description: Connected office complex and warehouse with both physical and cloud-based data storage environments
System Purpose and Function
ACME's information system supports critical defense logistics operations including:
- Contract management and coordination
- CUI data processing and storage
- Supply chain management
- Financial and administrative operations
- Communication with DoD stakeholders
System Classification
CMMC Level Required: Level 2 (Advanced)
Data Types Processed:
- Controlled Unclassified Information (CUI)
- Federal Contract Information (FCI)
- Contract specifications and technical data
- Financial and procurement data
3. System Boundaries & Assessment Scope
CMMC Assessment Scope Definition
The CMMC assessment scope for ACME Technology Services Corporation includes all systems, networks, and facilities that process, store, or transmit CUI and FCI. The scope is defined by the data flow boundaries and includes the following key areas:
In-Scope Systems
CUI Processing Systems
- Primary Data Server (CUI-001)
- Azure Cloud Backup (CUI-002)
- Contract Coordinator Workstations (CUI-003 to CUI-005)
- CISO Management Workstation (CUI-006)
- Secure File Server (CUI-007)
Security Protection Assets
- Enterprise Firewall (SPA-001)
- VPN Gateway (SPA-002)
- Endpoint Protection System (SPA-004)
- SIEM/Log Management (SPA-005)
- Badge Access Control System (SPA-006)
Network Infrastructure
- Core network switches
- Wireless access points (secure)
- Active Directory domain controllers
- DNS and DHCP servers
Out-of-Scope Systems
The following systems are explicitly excluded from the CMMC assessment scope as they do not process, store, or transmit CUI:
- Employee personal laptops (OOS-001)
- HR systems processing only employee data (OOS-002)
- Marketing systems (OOS-003)
- Break room guest Wi-Fi network (OOS-004)
- Facility management laptops (OOS-005)
4. Environment of Operation
Physical Environment
Primary Facility: El Paso, Texas headquarters
Facility Type: Connected office complex and warehouse
Physical Security: Badge access control system implemented across all controlled spaces
Environmental Controls: HVAC systems with dedicated control network, fire suppression systems
Technical Environment
Network Architecture: Segmented network with clearly defined zones
Cloud Services: Microsoft Azure and Amazon Web Services for backup and certain operations
Operating Systems: Windows-based environment with Active Directory
Encryption Standards: FIPS 140-2 validated encryption for all CUI access
Operational Environment
Business Hours: Monday-Friday, 7:00 AM - 6:00 PM CST
Remote Access: Authorized personnel via VPN gateway with multi-factor authentication
Maintenance Windows: Saturdays 6:00 PM - 8:00 PM CST
Backup Schedule: Daily incremental, weekly full backups to encrypted cloud storage
5. Roles & Responsibilities
| Role | Personnel | Responsibilities | Contact |
|---|---|---|---|
| System Owner | Chief Executive Officer | Overall accountability for system security, budget approval, policy oversight | ceo@acmetech.gov |
| Information System Security Officer (ISSO) | Raymond Lawrence | Daily security operations, incident response, compliance monitoring, CMMC coordination | rlawrence@acmetech.gov |
| System Administrator | IT Operations Team Lead | System maintenance, user account management, backup operations, patch management | itops@acmetech.gov |
| Network Administrator | Network Operations Team Lead | Network security, firewall management, VPN administration, network monitoring | netops@acmetech.gov |
| Information Owner | Contract Operations Manager | CUI classification, access authorization, data handling procedures | contracts@acmetech.gov |
6. Security Controls Implementation
NIST SP 800-171 Controls Summary
ACME Technology Services Corporation implements all 110 security controls from NIST SP 800-171 Rev 2 as required for CMMC Level 2 certification. The controls are organized into 14 families as follows:
| Control Family | Control Count | Implementation Status | Compliance Score |
|---|---|---|---|
| Access Control (AC) | 22 | Fully Implemented | 100% |
| Awareness and Training (AT) | 2 | Fully Implemented | 100% |
| Audit and Accountability (AU) | 12 | Fully Implemented | 100% |
| Configuration Management (CM) | 11 | Partially Implemented | 95% |
| Identification and Authentication (IA) | 11 | Fully Implemented | 100% |
| Incident Response (IR) | 3 | Fully Implemented | 100% |
| Maintenance (MA) | 6 | Fully Implemented | 100% |
| Media Protection (MP) | 8 | Fully Implemented | 100% |
| Personnel Security (PS) | 2 | Fully Implemented | 100% |
| Physical and Environmental Protection (PE) | 6 | Fully Implemented | 100% |
| Risk Assessment (RA) | 3 | Fully Implemented | 100% |
| Security Assessment and Authorization (CA) | 9 | Fully Implemented | 100% |
| System and Communications Protection (SC) | 23 | Fully Implemented | 100% |
| System and Information Integrity (SI) | 7 | Fully Implemented | 100% |
Key Control Implementation Details
AC.L2-3.1.1 - Access Control Policy and Procedures
Implementation: ACME has implemented comprehensive access control policies and procedures that are reviewed annually and approved by the CISO. Role-based access control (RBAC) is enforced through Active Directory with least privilege principles.
Evidence: Access Control Policy v2.1, Role-Based Access Matrix, Quarterly Access Reviews
SC.L2-3.13.8 - FIPS-Validated Cryptography
Implementation: All encryption for CUI protection uses FIPS 140-2 validated cryptographic modules. This includes data at rest, data in transit, and remote access sessions.
Evidence: Cryptographic Standards Document, FIPS 140-2 Certificates, Encryption Configuration Baselines
7. Asset Inventory & Categorization
CUI Assets
| Asset ID | Asset Name | Type | Location | Owner | Classification |
|---|---|---|---|---|---|
| CUI-001 | Primary Data Server | Physical Server | Data Center | IT Operations | CUI |
| CUI-002 | Azure Cloud Backup | Cloud Service | Microsoft Azure | IT Operations | CUI |
| CUI-003 | Contract Coordinator Workstation 1 | Laptop | Office Complex | Contract Operations | CUI |
| CUI-004 | Contract Coordinator Workstation 2 | Laptop | Office Complex | Contract Operations | CUI |
| CUI-005 | Contract Coordinator Workstation 3 | Laptop | Office Complex | Contract Operations | CUI |
| CUI-006 | CISO Management Workstation | Desktop | Security Office | CISO | CUI |
| CUI-007 | Secure File Server | Physical Server | Data Center | IT Operations | CUI |
8. Network Architecture & Segmentation
Network Segmentation Overview
ACME Network Architecture
CUI Zone: Secure access to servers, cloud backups, and contract management systems
Management Zone: Administrative and IT operations
Guest Network: Isolated from internal systems with no CUI access
OT Network: Dedicated to building control systems (HVAC, physical security)
Network Components
| Component | Purpose | Security Controls | VLAN/Subnet |
|---|---|---|---|
| Enterprise Firewall | Network perimeter security | Deep packet inspection, IPS, application filtering | DMZ |
| VPN Gateway | Secure remote access | IPSec, SSL VPN, MFA integration | DMZ |
| Core Switch | Network distribution | VLAN segmentation, port security | Management VLAN |
| Wireless Access Points | Secure wireless connectivity | WPA3, 802.1X authentication | CUI VLAN 10 |
9. Risk Assessment & Management
Risk Assessment Summary
ACME Technology Services Corporation conducts comprehensive risk assessments annually and whenever significant changes occur to the system. The risk assessment process follows NIST SP 800-30 guidance and identifies threats, vulnerabilities, and impacts to CUI and system operations.
Identified Risks and Mitigations
| Risk ID | Risk Description | Likelihood | Impact | Risk Level | Mitigation |
|---|---|---|---|---|---|
| RISK-001 | Unauthorized access to CUI through compromised credentials | Medium | High | Medium | Multi-factor authentication, privileged access management |
| RISK-002 | Data loss through ransomware attack | Medium | High | Medium | Endpoint protection, network segmentation, offline backups |
| RISK-003 | Physical breach of data center | Low | High | Low | Badge access control, surveillance systems, security guards |
10. Plan of Action & Milestones (POA&M)
Current POA&M Items
The following items represent identified gaps or weaknesses that are being addressed through planned remediation activities. All POA&M items must be resolved within 180 days to maintain CMMC Level 2 certification.
| POA&M ID | Control | Weakness | Planned Action | Responsible Party | Target Date | Status |
|---|---|---|---|---|---|---|
| POA-001 | CM.L2-3.4.8 | Configuration baseline documentation needs updates for warehouse systems | Complete comprehensive configuration baseline documentation | IT Operations Team | September 15, 2025 | In Progress |
Continuous Monitoring Program
ACME maintains a continuous monitoring program that includes:
- Monthly vulnerability assessments
- Quarterly access reviews
- Annual security control assessments
- Real-time security monitoring through SIEM
- Annual SSP reviews and updates