Guidelines for an SSP and POAM
Guidelines and best practices to create a System Security Plan (SSP) and Plan of Action and Milestones (POAM) are difficult to find and some require a lot of time to generate. This article on the this site: 3.12.4 Develop, document, periodically update, and implement system security plans provides a lot of resources and samples of an SSP.
The most recent guidance from the NIST for these documents are the following templates:
CUI SSP template (word)
CUI Plan of Action template (word)
The Exostar Partner Information Manger (PIM) form satisfies a lot of the content in the section 3 of the SSP template and can be used to create this document.
Getting Started for Small Businesses
The full NIST 800-171 set of controls can be daunting to some small businesses that do not yet have a mature security program. The following resources provide guidance and priorities for basic security controls.
NIST provides a popular report "Small Business Information Security: The Fundamentals" (NIST Interagency Report, NISTIR 7621R1). The report is designed for small business owners with little cybersecurity expertise and provides basic steps needed to help protect their information systems.
For the UK small businesses, the gov.uk site provides Guidance Cyber Security: Advice for Small Businesses. This guidance explains the threat from cyber-attack and shows how you can protect your business.
NIST SP 800-171A Control Assessment Guidance
On November 28th 2017, NIST released a draft SP 800-171A (“Assessing Security Requirements for Controlled Unclassified Information). SP 800-171A provides a consistent process for assessment and additional explanation of the cyber requirements for each of the 110 requirements. Each control is accompanied by a statement of “Assessment Objective,” discussion of “Potential Assessment Methods and Objects,” and reference to “Supplemental Guidance”. This is a very useful document to provide much more detail for each control.
NIST MEP Cybersecurity Self-Assessment Handbook
Here is another document that can be helpful to understand individual controls because it describes how they can be assessed: NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.