A System Security Plan (SSP) is required for all IT systems hosted at a contractor or subcontractor facility. A contractor system is defined as a general support system or application hosted or maintained by contractor staff. When a system security plan is required, contractors must follow the NIST Special Publication 800-18 Guide for Developing Security Plans for Federal Information Systems(link is external). NCI has developed templates available on this website for both NCI-hosted systems supported by contractors, and for contractor-hosted systems. Please use the appropriate template for your situation.
This rule applies equally to conventionally hosted systems as well as to cloud hosted systems. The additional requirement for all cloud hosted systems is that the FISMA package must also include evidence that the cloud service provider has received FedRAMP provisional authorization. For more information on FedRAMP, review the GSA's FedRAMP page(link is external).